@@ -105,7 +105,7 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.m
Entry | Description
----------- | ------------
-Folder | A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder.
+Folder | A folder should be contained in Here are the steps to create canonical domain names: -1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. +1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md index fe887a54e4..ccb3b770da 100644 --- a/windows/client-management/mdm/enterpriseext-csp.md +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -32,7 +32,7 @@ The root node for the EnterpriseExt configuration service provider. Supported op Node for setting the custom device ID and string. **DeviceCustomData/CustomID** -Any string value as the device ID. This value appears in **Settings** > **About** > **Info**. +Any string value as the device ID. This value appears in **Settings** > **About** > **Info**. Here's an example for getting custom data. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index febb95a255..cf28233abe 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -593,7 +593,7 @@ Query the device for a specific app subcategory, such as nonStore apps. ``` -The result contains a list of apps, such as <Data>App1/App2/App3</Data>. +The result contains a list of apps, such as \App1/App2/App\
If you don't want to send traffic to Microsoft, use the \
+**Version 1809**
When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages your want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. @@ -2970,7 +2953,6 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, version 1810* [!INCLUDE [prevent-certificate-error-overrides-shortdesc](../../../browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md)] @@ -3620,8 +3602,6 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, version 1810* - [!INCLUDE [set-home-button-url-shortdesc](../../../browsers/edge/shortdesc/set-home-button-url-shortdesc.md)] @@ -3689,8 +3669,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, version 1810* - [!INCLUDE [set-new-tab-url-shortdesc](../../../browsers/edge/shortdesc/set-new-tab-url-shortdesc.md)] @@ -3897,7 +3875,6 @@ To verify that favorites are in synchronized between Internet Explorer and Micro ->*Supported versions: Microsoft Edge on Windows 10, version 1810* [!INCLUDE [unlock-home-button-shortdesc](../../../browsers/edge/shortdesc/unlock-home-button-shortdesc.md)] @@ -3994,7 +3971,7 @@ Footnote: - 2 - Supported versions, version 1703. - 3 - Supported versions, version 1709. - 4 - Supported versions, version 1803. -- 5 - Added in the next major update to Windows of Windows 10. +- 5 - Supported versions, version 1809. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 846fbce380..8ff97003f8 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,426 +1,426 @@ ---- -title: Policy CSP - Kerberos -description: Policy CSP - Kerberos -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/08/2018 ---- - -# Policy CSP - Kerberos - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
- - -## Kerberos policies - -
-
-
- - Kerberos/AllowForestSearchOrder - -
- - Kerberos/KerberosClientSupportsClaimsCompoundArmor - -
- - Kerberos/RequireKerberosArmoring - -
- - Kerberos/RequireStrictKDCValidation - -
- - Kerberos/SetMaximumContextTokenSize - -
- - Kerberos/UPNNameHints - -
- - -**Kerberos/AllowForestSearchOrder** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
 |
-  |
- |
- |
- |
- |
- |
-
- - - -This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). - -If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. - -If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use forest search order* -- GP name: *ForestSearch* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
- - -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. - -If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring* -- GP name: *EnableCbacAndArmor* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
- - -**Kerberos/RequireKerberosArmoring** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. - -Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. - -If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. - -Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. - -If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Fail authentication requests when Kerberos armoring is not available* -- GP name: *ClientRequireFast* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
- - -**Kerberos/RequireStrictKDCValidation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. - -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. - -If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Require strict KDC validation* -- GP name: *ValidateKDC* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
- - -**Kerberos/SetMaximumContextTokenSize** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. - -The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. - -If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. - -If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. - -Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set maximum Kerberos SSPI context token buffer size* -- GP name: *MaxTokenSize* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
- - -**Kerberos/UPNNameHints** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal. - -Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. - - - - - - - - - - - - -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - +--- +title: Policy CSP - Kerberos +description: Policy CSP - Kerberos +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/08/2018 +--- + +# Policy CSP - Kerberos + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## Kerberos policies + +
-
+
- + Kerberos/AllowForestSearchOrder + +
- + Kerberos/KerberosClientSupportsClaimsCompoundArmor + +
- + Kerberos/RequireKerberosArmoring + +
- + Kerberos/RequireStrictKDCValidation + +
- + Kerberos/SetMaximumContextTokenSize + +
- + Kerberos/UPNNameHints + +
+ + +**Kerberos/AllowForestSearchOrder** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). + +If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. + +If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use forest search order* +- GP name: *ForestSearch* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/KerberosClientSupportsClaimsCompoundArmor** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. +If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. + +If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring* +- GP name: *EnableCbacAndArmor* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/RequireKerberosArmoring** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. + +Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. + +If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. + +Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. + +If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Fail authentication requests when Kerberos armoring is not available* +- GP name: *ClientRequireFast* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/RequireStrictKDCValidation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. + +If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. + +If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require strict KDC validation* +- GP name: *ValidateKDC* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/SetMaximumContextTokenSize** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. + +The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. + +If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. + +If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. + +Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set maximum Kerberos SSPI context token buffer size* +- GP name: *MaxTokenSize* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/UPNNameHints** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal. + +Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. + + + + + + + + + + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index d9da419854..652e5979f3 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,4865 +1,4865 @@ ---- -title: Policy CSP - Privacy -description: Policy CSP - Privacy -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/14/2018 ---- - -# Policy CSP - Privacy - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
- - -## Privacy policies - -
-
-
- - Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts - -
- - Privacy/AllowCrossDeviceClipboard - -
- - Privacy/AllowInputPersonalization - -
- - Privacy/DisableAdvertisingId - -
- - Privacy/DisablePrivacyExperience - -
- - Privacy/EnableActivityFeed - -
- - Privacy/LetAppsAccessAccountInfo - -
- - Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessCalendar - -
- - Privacy/LetAppsAccessCalendar_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessCalendar_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessCallHistory - -
- - Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessCamera - -
- - Privacy/LetAppsAccessCamera_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessCamera_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessCamera_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessContacts - -
- - Privacy/LetAppsAccessContacts_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessContacts_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessContacts_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessEmail - -
- - Privacy/LetAppsAccessEmail_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessEmail_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessEmail_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessGazeInput - -
- - Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessLocation - -
- - Privacy/LetAppsAccessLocation_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessLocation_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessLocation_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessMessaging - -
- - Privacy/LetAppsAccessMessaging_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessMessaging_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessMicrophone - -
- - Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessMotion - -
- - Privacy/LetAppsAccessMotion_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessMotion_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessMotion_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessNotifications - -
- - Privacy/LetAppsAccessNotifications_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessNotifications_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessPhone - -
- - Privacy/LetAppsAccessPhone_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessPhone_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessPhone_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessRadios - -
- - Privacy/LetAppsAccessRadios_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessRadios_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessRadios_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessTasks - -
- - Privacy/LetAppsAccessTasks_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessTasks_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps - -
- - Privacy/LetAppsAccessTrustedDevices - -
- - Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps - -
- - Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps - -
- - Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps - -
- - Privacy/LetAppsGetDiagnosticInfo - -
- - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps - -
- - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps - -
- - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps - -
- - Privacy/LetAppsRunInBackground - -
- - Privacy/LetAppsRunInBackground_ForceAllowTheseApps - -
- - Privacy/LetAppsRunInBackground_ForceDenyTheseApps - -
- - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps - -
- - Privacy/LetAppsSyncWithDevices - -
- - Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps - -
- - Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps - -
- - Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps - -
- - Privacy/PublishUserActivities - -
- - Privacy/UploadUserActivities - -
- - -**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
-
- - - -Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. - -> [!Note] -> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. - - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 (default)– Not allowed. -- 1 – Allowed. - - - - -
- - -**Privacy/AllowCrossDeviceClipboard** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -Added in Windows 10, version 1809. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow Clipboard synchronization across devices* -- GP name: *AllowCrossDeviceClipboard* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -0 – Not allowed. -1 (default) – Allowed. - - - - -
- - -**Privacy/AllowInputPersonalization** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow input personalization* -- GP name: *AllowInputPersonalization* -- GP path: *Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Choice deferred to user's preference. - - - - -
- - -**Privacy/DisableAdvertisingId** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Enables or disables the Advertising ID. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Turn off the advertising ID* -- GP name: *DisableAdvertisingId* -- GP path: *System/User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 – Enabled. -- 65535 (default)- Not configured. - - - - -
- - -**Privacy/DisablePrivacyExperience** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - -Value type is integer. -- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. -- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. - -In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings. - - - -ADMX Info: -- GP English name: *Don't launch privacy settings experience on user logon* -- GP name: *DisablePrivacyExperience* -- GP path: *Windows Components/OOBE* -- GP ADMX file name: *OOBE.admx* - - - - - - - - - - - - - -
- - -**Privacy/EnableActivityFeed** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
-
- - - -Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. - - - -ADMX Info: -- GP English name: *Enables Activity Feed* -- GP name: *EnableActivityFeed* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). -- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. - - - - -
- - -**Privacy/LetAppsAccessAccountInfo** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCalendar** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCallHistory** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCamera** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessContacts** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessEmail** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access email. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessGazeInput** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -This policy setting specifies whether Windows apps can access the eye tracker. - - - - -
- - -**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - -
- - -**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - -
- - -**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - -
- - -**Privacy/LetAppsAccessLocation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access location. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMessaging** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMicrophone** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMotion** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessNotifications** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessPhone** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessRadios** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTasks** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTrustedDevices** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsGetDiagnosticInfo** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsRunInBackground** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. - - -Most restricted value is 2. -> [!WARNING] -> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control (default). -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsSyncWithDevices** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
- - -**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
- 1 |
-
- - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
- - -**Privacy/PublishUserActivities** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
-
- - - -Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. - - - -ADMX Info: -- GP English name: *Allow publishing of User Activities* -- GP name: *PublishUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the *user activities*. -- 1 – (default) Enabled. Apps/OS can publish the *user activities*. - - - - -
- - -**Privacy/UploadUserActivities** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 5 |
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -Allows ActivityFeed to upload published 'User Activities'. - - - -ADMX Info: -- GP English name: *Allow upload of User Activities* -- GP name: *UploadUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - +--- +title: Policy CSP - Privacy +description: Policy CSP - Privacy +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/14/2018 +--- + +# Policy CSP - Privacy + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## Privacy policies + +
-
+
- + Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts + +
- + Privacy/AllowCrossDeviceClipboard + +
- + Privacy/AllowInputPersonalization + +
- + Privacy/DisableAdvertisingId + +
- + Privacy/DisablePrivacyExperience + +
- + Privacy/EnableActivityFeed + +
- + Privacy/LetAppsAccessAccountInfo + +
- + Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessCalendar + +
- + Privacy/LetAppsAccessCalendar_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessCalendar_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessCallHistory + +
- + Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessCamera + +
- + Privacy/LetAppsAccessCamera_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessCamera_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessCamera_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessContacts + +
- + Privacy/LetAppsAccessContacts_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessContacts_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessContacts_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessEmail + +
- + Privacy/LetAppsAccessEmail_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessEmail_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessEmail_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessGazeInput + +
- + Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessLocation + +
- + Privacy/LetAppsAccessLocation_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessLocation_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessLocation_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessMessaging + +
- + Privacy/LetAppsAccessMessaging_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessMessaging_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessMicrophone + +
- + Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessMotion + +
- + Privacy/LetAppsAccessMotion_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessMotion_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessMotion_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessNotifications + +
- + Privacy/LetAppsAccessNotifications_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessNotifications_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessPhone + +
- + Privacy/LetAppsAccessPhone_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessPhone_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessPhone_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessRadios + +
- + Privacy/LetAppsAccessRadios_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessRadios_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessRadios_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessTasks + +
- + Privacy/LetAppsAccessTasks_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessTasks_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessTasks_UserInControlOfTheseApps + +
- + Privacy/LetAppsAccessTrustedDevices + +
- + Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps + +
- + Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps + +
- + Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps + +
- + Privacy/LetAppsGetDiagnosticInfo + +
- + Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps + +
- + Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps + +
- + Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps + +
- + Privacy/LetAppsRunInBackground + +
- + Privacy/LetAppsRunInBackground_ForceAllowTheseApps + +
- + Privacy/LetAppsRunInBackground_ForceDenyTheseApps + +
- + Privacy/LetAppsRunInBackground_UserInControlOfTheseApps + +
- + Privacy/LetAppsSyncWithDevices + +
- + Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps + +
- + Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps + +
- + Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps + +
- + Privacy/PublishUserActivities + +
- + Privacy/UploadUserActivities + +
+ + +**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+
+ + + +Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. + +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. + + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 (default)– Not allowed. +- 1 – Allowed. + + + + +
+ + +**Privacy/AllowCrossDeviceClipboard** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Added in Windows 10, version 1809. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Clipboard synchronization across devices* +- GP name: *AllowCrossDeviceClipboard* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +0 – Not allowed. +1 (default) – Allowed. + + + + +
+ + +**Privacy/AllowInputPersonalization** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow input personalization* +- GP name: *AllowInputPersonalization* +- GP path: *Control Panel/Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Choice deferred to user's preference. + + + + +
+ + +**Privacy/DisableAdvertisingId** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Enables or disables the Advertising ID. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Turn off the advertising ID* +- GP name: *DisableAdvertisingId* +- GP path: *System/User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. +- 1 – Enabled. +- 65535 (default)- Not configured. + + + + +
+ + +**Privacy/DisablePrivacyExperience** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + +Value type is integer. +- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. +- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. + +In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings. + + + +ADMX Info: +- GP English name: *Don't launch privacy settings experience on user logon* +- GP name: *DisablePrivacyExperience* +- GP path: *Windows Components/OOBE* +- GP ADMX file name: *OOBE.admx* + + + + + + + + + + + + + +
+ + +**Privacy/EnableActivityFeed** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+
+ + + +Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. + + + +ADMX Info: +- GP English name: *Enables Activity Feed* +- GP name: *EnableActivityFeed* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). +- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. + + + + +
+ + +**Privacy/LetAppsAccessAccountInfo** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCalendar** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCallHistory** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCamera** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessContacts** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessEmail** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access email. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessGazeInput** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +This policy setting specifies whether Windows apps can access the eye tracker. + + + + +
+ + +**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
+ + +**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
+ + +**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
+ + +**Privacy/LetAppsAccessLocation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access location. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMessaging** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMicrophone** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMotion** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessNotifications** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessPhone** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessRadios** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTasks** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTrustedDevices** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsGetDiagnosticInfo** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsRunInBackground** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. + + +Most restricted value is 2. +> [!WARNING] +> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control (default). +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsSyncWithDevices** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
+ + +**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+ + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
+ + +**Privacy/PublishUserActivities** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+
+ + + +Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. + + + +ADMX Info: +- GP English name: *Allow publishing of User Activities* +- GP name: *PublishUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the *user activities*. +- 1 – (default) Enabled. Apps/OS can publish the *user activities*. + + + + +
+ + +**Privacy/UploadUserActivities** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 5 |
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +Allows ActivityFeed to upload published 'User Activities'. + + + +ADMX Info: +- GP English name: *Allow upload of User Activities* +- GP name: *UploadUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 9284052651..7858f38c0e 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1,235 +1,235 @@ ---- -title: Policy CSP - Storage -description: Policy CSP - Storage -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/27/2018 ---- - -# Policy CSP - Storage - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
- - -## Storage policies - -
-
-
- - Storage/AllowDiskHealthModelUpdates - -
- - Storage/EnhancedStorageDevices - -
- - Storage/RemovableDiskDenyWriteAccess - -
- - -**Storage/AllowDiskHealthModelUpdates** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- |
- |
-
- - - -Added in Windows 10, version 1709. Allows disk health model updates. - - - -Value type is integer. - - - -ADMX Info: -- GP English name: *Allow downloading updates to the Disk Failure Prediction Model* -- GP name: *SH_AllowDiskHealthModelUpdates* -- GP path: *System/Storage Health* -- GP ADMX file name: *StorageHealth.admx* - - - -The following list shows the supported values: - -- 0 - Do not allow -- 1 (default) - Allow - - - - -
- - -**Storage/EnhancedStorageDevices** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting configures whether or not Windows will activate an Enhanced Storage device. - -If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. - -If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow Windows to activate Enhanced Storage devices* -- GP name: *TCGSecurityActivationDisabled* -- GP path: *System/Enhanced Storage Access* -- GP ADMX file name: *enhancedstorage.admx* - - - - -
- - -**Storage/RemovableDiskDenyWriteAccess** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - -Supported values: -- 0 - Disable -- 1 - Enable - - - -ADMX Info: -- GP English name: *Removable Disks: Deny write access* -- GP name: *RemovableDisks_DenyWrite_Access_2* -- GP element: *RemovableDisks_DenyWrite_Access_2* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - - - - - - - - - - -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - +--- +title: Policy CSP - Storage +description: Policy CSP - Storage +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/27/2018 +--- + +# Policy CSP - Storage + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## Storage policies + +
-
+
- + Storage/AllowDiskHealthModelUpdates + +
- + Storage/EnhancedStorageDevices + +
- + Storage/RemovableDiskDenyWriteAccess + +
+ + +**Storage/AllowDiskHealthModelUpdates** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+ + + +Added in Windows 10, version 1709. Allows disk health model updates. + + + +Value type is integer. + + + +ADMX Info: +- GP English name: *Allow downloading updates to the Disk Failure Prediction Model* +- GP name: *SH_AllowDiskHealthModelUpdates* +- GP path: *System/Storage Health* +- GP ADMX file name: *StorageHealth.admx* + + + +The following list shows the supported values: + +- 0 - Do not allow +- 1 (default) - Allow + + + + +
+ + +**Storage/EnhancedStorageDevices** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting configures whether or not Windows will activate an Enhanced Storage device. + +If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. + +If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow Windows to activate Enhanced Storage devices* +- GP name: *TCGSecurityActivationDisabled* +- GP path: *System/Enhanced Storage Access* +- GP ADMX file name: *enhancedstorage.admx* + + + + +
+ + +**Storage/RemovableDiskDenyWriteAccess** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + +Supported values: +- 0 - Disable +- 1 - Enable + + + +ADMX Info: +- GP English name: *Removable Disks: Deny write access* +- GP name: *RemovableDisks_DenyWrite_Access_2* +- GP element: *RemovableDisks_DenyWrite_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 77421bcad4..8e9dd3ce58 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,1443 +1,1443 @@ ---- -title: Policy CSP - System -description: Policy CSP - System -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/24/2018 ---- - -# Policy CSP - System - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
- - -## System policies - -
-
-
- - System/AllowBuildPreview - -
- - System/AllowDeviceNameInDiagnosticData - -
- - System/AllowEmbeddedMode - -
- - System/AllowExperimentation - -
- - System/AllowFontProviders - -
- - System/AllowLocation - -
- - System/AllowStorageCard - -
- - System/AllowTelemetry - -
- - System/AllowUserToResetPhone - -
- - System/BootStartDriverInitialization - -
- - System/ConfigureMicrosoft365UploadEndpoint - -
- - System/ConfigureTelemetryOptInChangeNotification - -
- - System/ConfigureTelemetryOptInSettingsUx - -
- - System/DisableDeviceDelete - -
- - System/DisableDiagnosticDataViewer - -
- - System/DisableEnterpriseAuthProxy - -
- - System/DisableOneDriveFileSync - -
- - System/DisableSystemRestore - -
- - System/FeedbackHubAlwaysSaveDiagnosticsLocally - -
- - System/LimitEnhancedDiagnosticDataWindowsAnalytics - -
- - System/TelemetryProxy - -
- - -**System/AllowBuildPreview** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -> [!NOTE] -> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. - - -This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. - -If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. - - - -ADMX Info: -- GP English name: *Toggle user control over Insider builds* -- GP name: *AllowBuildPreview* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *AllowBuildPreview.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. -- 1 – Allowed. Users can make their devices available for downloading and installing preview software. -- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. - - - - -
- - -**System/AllowDeviceNameInDiagnosticData** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. - - - -ADMX Info: -- GP English name: *Allow device name to be sent in Windows diagnostic data* -- GP name: *AllowDeviceNameInDiagnosticData* -- GP element: *AllowDeviceNameInDiagnosticData* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/AllowEmbeddedMode** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Specifies whether set general purpose device to be in embedded mode. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - - - - -
- - -**System/AllowExperimentation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -> [!NOTE] -> This policy is not supported in Windows 10, version 1607. - -This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. - - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Permits Microsoft to configure device settings only. -- 2 – Allows Microsoft to conduct full experimentations. - - - - -
- - -**System/AllowFontProviders** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
- - - -Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. - -This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). - -This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. - -> [!Note] -> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. - - - -ADMX Info: -- GP English name: *Enable Font Providers* -- GP name: *EnableFontProviders* -- GP path: *Network/Fonts* -- GP ADMX file name: *GroupPolicy.admx* - - - -The following list shows the supported values: - -- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. -- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. - - - -To verify if System/AllowFontProviders is set to true: - -- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. - - - - -
- - -**System/AllowLocation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Specifies whether to allow app access to the Location service. - - -Most restricted value is 0. - -While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. - -When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. - -For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. - - - -ADMX Info: -- GP English name: *Turn off location* -- GP name: *DisableLocation_2* -- GP path: *Windows Components/Location and Sensors* -- GP ADMX file name: *Sensors.admx* - - - -The following list shows the supported values: - -- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. -- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. -- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. - - - - -
- - -**System/AllowStorageCard** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. -- 1 (default) – Allow a storage card. - - - - -
- - -**System/AllowTelemetry** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Allow the device to send diagnostic and usage telemetry data, such as Watson. - -The following tables describe the supported values: - -Windows 8.1 Values: - -- 0 - Not allowed. -- 1 – Allowed, except for Secondary Data Requests. -- 2 (default) – Allowed. - - - -Windows 10 Values: - -- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. -- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. -- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. - - - - -> [!IMPORTANT] -> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. - - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow Telemetry* -- GP name: *AllowTelemetry* -- GP element: *AllowTelemetry* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/AllowUserToResetPhone** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. - -Most restricted value is 0. - - - -The following list shows the supported values: -orted values: - -- 0 – Not allowed. -- 1 (default) – Allowed to reset to factory default settings. - - - - -
- - -**System/BootStartDriverInitialization** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: -- Good: The driver has been signed and has not been tampered with. -- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. -- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. -- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. - -If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. - -If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. - -If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Boot-Start Driver Initialization Policy* -- GP name: *POL_DriverLoadPolicy_Name* -- GP path: *System/Early Launch Antimalware* -- GP ADMX file name: *earlylauncham.admx* - - - - -
- - -**System/ConfigureMicrosoft365UploadEndpoint** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -This policy sets the upload endpoint for this device’s diagnostic data as part of the Microsoft 365 Update Readiness program. - -If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. - -The value for this setting will be provided by Microsoft as part of the onboarding process for the program. - -Value type is string. - - -ADMX Info: -- GP English name: *Configure Microsoft 365 Update Readiness upload endpoint* -- GP name: *ConfigureMicrosoft365UploadEndpoint* -- GP element: *ConfigureMicrosoft365UploadEndpoint* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/ConfigureTelemetryOptInChangeNotification** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 4 |
- 4 |
- 4 |
- 4 |
- - | - |
- - - -This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings. -If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. -If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. - - - -ADMX Info: -- GP English name: *Configure telemetry opt-in change notifications.* -- GP name: *ConfigureTelemetryOptInChangeNotification* -- GP element: *ConfigureTelemetryOptInChangeNotification* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/ConfigureTelemetryOptInSettingsUx** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 4 |
- 4 |
- 4 |
- 4 |
- - | - |
- - - -This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. - -If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. - -If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. - -Note: -Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. - - - -ADMX Info: -- GP English name: *Configure telemetry opt-in setting user interface.* -- GP name: *ConfigureTelemetryOptInSettingsUx* -- GP element: *ConfigureTelemetryOptInSettingsUx* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/DisableDeviceDelete** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page. -If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. -If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. - - - -ADMX Info: -- GP English name: *Disable deleting diagnostic data * -- GP name: *DisableDeviceDelete* -- GP element: *DisableDeviceDelete* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/DisableDiagnosticDataViewer** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 5 |
- 5 |
- 5 |
- 5 |
- - | - |
- - - -This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. -If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. -If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. - - - -ADMX Info: -- GP English name: *Disable diagnostic data viewer. * -- GP name: *DisableDiagnosticDataViewer* -- GP element: *DisableDiagnosticDataViewer* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/DisableEnterpriseAuthProxy** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- |
- |
-
- - - -This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - -ADMX Info: -- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service* -- GP name: *DisableEnterpriseAuthProxy* -- GP element: *DisableEnterpriseAuthProxy* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/DisableOneDriveFileSync** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
- - - -Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: - -* Users cannot access OneDrive from the OneDrive app or file picker. -* Microsoft Store apps cannot access OneDrive using the WinRT API. -* OneDrive does not appear in the navigation pane in File Explorer. -* OneDrive files are not kept in sync with the cloud. -* Users cannot automatically upload photos and videos from the camera roll folder. - -If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - -ADMX Info: -- GP English name: *Prevent the usage of OneDrive for file storage* -- GP name: *PreventOnedriveFileSync* -- GP path: *Windows Components/OneDrive* -- GP ADMX file name: *SkyDrive.admx* - - - -The following list shows the supported values: - -- 0 (default) – False (sync enabled). -- 1 – True (sync disabled). - - - -To validate on Desktop, do the following: - -1. Enable policy. -2. Restart machine. -3. Verify that OneDrive.exe is not running in Task Manager. - - - - -
- - -**System/DisableSystemRestore** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Allows you to disable System Restore. - -This policy setting allows you to turn off System Restore. - -System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. - -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. - -If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. - -Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Turn off System Restore* -- GP name: *SR_DisableSR* -- GP path: *System/System Restore* -- GP ADMX file name: *systemrestore.admx* - - - - -
- - -**System/FeedbackHubAlwaysSaveDiagnosticsLocally** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
| 4 |
- 4 |
- 4 |
- 4 |
- 4 |
- - | - |
- - - -Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. - - - -The following list shows the supported values: - -- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. -- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. - - - - -
- - -**System/LimitEnhancedDiagnosticDataWindowsAnalytics** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
-
- - - -This policy setting, in combination with the System/AllowTelemetry - policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. - -To enable this behavior you must complete two steps: -
-
-
- Enable this policy setting -
- Set Allow Telemetry to level 2 (Enhanced) -
- - -**System/TelemetryProxy** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -Mobile Enterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
- - - -Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. - -If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. - - - -ADMX Info: -- GP English name: *Configure Connected User Experiences and Telemetry* -- GP name: *TelemetryProxy* -- GP element: *TelemetryProxyName* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - +--- +title: Policy CSP - System +description: Policy CSP - System +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/24/2018 +--- + +# Policy CSP - System + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## System policies + +
-
+
- + System/AllowBuildPreview + +
- + System/AllowDeviceNameInDiagnosticData + +
- + System/AllowEmbeddedMode + +
- + System/AllowExperimentation + +
- + System/AllowFontProviders + +
- + System/AllowLocation + +
- + System/AllowStorageCard + +
- + System/AllowTelemetry + +
- + System/AllowUserToResetPhone + +
- + System/BootStartDriverInitialization + +
- + System/ConfigureMicrosoft365UploadEndpoint + +
- + System/ConfigureTelemetryOptInChangeNotification + +
- + System/ConfigureTelemetryOptInSettingsUx + +
- + System/DisableDeviceDelete + +
- + System/DisableDiagnosticDataViewer + +
- + System/DisableEnterpriseAuthProxy + +
- + System/DisableOneDriveFileSync + +
- + System/DisableSystemRestore + +
- + System/FeedbackHubAlwaysSaveDiagnosticsLocally + +
- + System/LimitEnhancedDiagnosticDataWindowsAnalytics + +
- + System/TelemetryProxy + +
+ + +**System/AllowBuildPreview** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +> [!NOTE] +> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. + + +This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. + +If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. + + + +ADMX Info: +- GP English name: *Toggle user control over Insider builds* +- GP name: *AllowBuildPreview* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *AllowBuildPreview.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. +- 1 – Allowed. Users can make their devices available for downloading and installing preview software. +- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. + + + + +
+ + +**System/AllowDeviceNameInDiagnosticData** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + +ADMX Info: +- GP English name: *Allow device name to be sent in Windows diagnostic data* +- GP name: *AllowDeviceNameInDiagnosticData* +- GP element: *AllowDeviceNameInDiagnosticData* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/AllowEmbeddedMode** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Specifies whether set general purpose device to be in embedded mode. + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + + +
+ + +**System/AllowExperimentation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +> [!NOTE] +> This policy is not supported in Windows 10, version 1607. + +This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. + + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Permits Microsoft to configure device settings only. +- 2 – Allows Microsoft to conduct full experimentations. + + + + +
+ + +**System/AllowFontProviders** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+ + + +Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. + +This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). + +This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. + +> [!Note] +> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. + + + +ADMX Info: +- GP English name: *Enable Font Providers* +- GP name: *EnableFontProviders* +- GP path: *Network/Fonts* +- GP ADMX file name: *GroupPolicy.admx* + + + +The following list shows the supported values: + +- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. +- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. + + + +To verify if System/AllowFontProviders is set to true: + +- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. + + + + +
+ + +**System/AllowLocation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Specifies whether to allow app access to the Location service. + + +Most restricted value is 0. + +While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. + +When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. + +For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. + + + +ADMX Info: +- GP English name: *Turn off location* +- GP name: *DisableLocation_2* +- GP path: *Windows Components/Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +The following list shows the supported values: + +- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. +- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. +- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. + + + + +
+ + +**System/AllowStorageCard** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. +- 1 (default) – Allow a storage card. + + + + +
+ + +**System/AllowTelemetry** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Allow the device to send diagnostic and usage telemetry data, such as Watson. + +The following tables describe the supported values: + +Windows 8.1 Values: + +- 0 - Not allowed. +- 1 – Allowed, except for Secondary Data Requests. +- 2 (default) – Allowed. + + + +Windows 10 Values: + +- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. +- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. +- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. +- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. + + + + +> [!IMPORTANT] +> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. + + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Telemetry* +- GP name: *AllowTelemetry* +- GP element: *AllowTelemetry* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/AllowUserToResetPhone** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. + +Most restricted value is 0. + + + +The following list shows the supported values: +orted values: + +- 0 – Not allowed. +- 1 (default) – Allowed to reset to factory default settings. + + + + +
+ + +**System/BootStartDriverInitialization** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: +- Good: The driver has been signed and has not been tampered with. +- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. +- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. +- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. + +If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. + +If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. + +If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Boot-Start Driver Initialization Policy* +- GP name: *POL_DriverLoadPolicy_Name* +- GP path: *System/Early Launch Antimalware* +- GP ADMX file name: *earlylauncham.admx* + + + + +
+ + +**System/ConfigureMicrosoft365UploadEndpoint** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +This policy sets the upload endpoint for this device’s diagnostic data as part of the Microsoft 365 Update Readiness program. + +If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. + +The value for this setting will be provided by Microsoft as part of the onboarding process for the program. + +Value type is string. + + +ADMX Info: +- GP English name: *Configure Microsoft 365 Update Readiness upload endpoint* +- GP name: *ConfigureMicrosoft365UploadEndpoint* +- GP element: *ConfigureMicrosoft365UploadEndpoint* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/ConfigureTelemetryOptInChangeNotification** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ + | + |
+ + + +This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings. +If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. +If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in change notifications.* +- GP name: *ConfigureTelemetryOptInChangeNotification* +- GP element: *ConfigureTelemetryOptInChangeNotification* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/ConfigureTelemetryOptInSettingsUx** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ + | + |
+ + + +This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. + +If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. + +If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. + +Note: +Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in setting user interface.* +- GP name: *ConfigureTelemetryOptInSettingsUx* +- GP element: *ConfigureTelemetryOptInSettingsUx* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/DisableDeviceDelete** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page. +If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. + + + +ADMX Info: +- GP English name: *Disable deleting diagnostic data * +- GP name: *DisableDeviceDelete* +- GP element: *DisableDeviceDelete* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/DisableDiagnosticDataViewer** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 5 |
+ 5 |
+ 5 |
+ 5 |
+ + | + |
+ + + +This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. +If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. + + + +ADMX Info: +- GP English name: *Disable diagnostic data viewer. * +- GP name: *DisableDiagnosticDataViewer* +- GP element: *DisableDiagnosticDataViewer* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/DisableEnterpriseAuthProxy** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+ + + +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. + + + +ADMX Info: +- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service* +- GP name: *DisableEnterpriseAuthProxy* +- GP element: *DisableEnterpriseAuthProxy* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/DisableOneDriveFileSync** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+ + + +Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: + +* Users cannot access OneDrive from the OneDrive app or file picker. +* Microsoft Store apps cannot access OneDrive using the WinRT API. +* OneDrive does not appear in the navigation pane in File Explorer. +* OneDrive files are not kept in sync with the cloud. +* Users cannot automatically upload photos and videos from the camera roll folder. + +If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + + + +ADMX Info: +- GP English name: *Prevent the usage of OneDrive for file storage* +- GP name: *PreventOnedriveFileSync* +- GP path: *Windows Components/OneDrive* +- GP ADMX file name: *SkyDrive.admx* + + + +The following list shows the supported values: + +- 0 (default) – False (sync enabled). +- 1 – True (sync disabled). + + + +To validate on Desktop, do the following: + +1. Enable policy. +2. Restart machine. +3. Verify that OneDrive.exe is not running in Task Manager. + + + + +
+ + +**System/DisableSystemRestore** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Allows you to disable System Restore. + +This policy setting allows you to turn off System Restore. + +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. + +If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. + +If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. + +Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off System Restore* +- GP name: *SR_DisableSR* +- GP path: *System/System Restore* +- GP ADMX file name: *systemrestore.admx* + + + + +
+ + +**System/FeedbackHubAlwaysSaveDiagnosticsLocally** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
| 4 |
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ + | + |
+ + + +Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. + + + +The following list shows the supported values: + +- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. +- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. + + + + +
+ + +**System/LimitEnhancedDiagnosticDataWindowsAnalytics** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+
+ + + +This policy setting, in combination with the System/AllowTelemetry + policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. + +To enable this behavior you must complete two steps: +
-
+
- Enable this policy setting +
- Set Allow Telemetry to level 2 (Enhanced) +
+ + +**System/TelemetryProxy** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ |
+ |
+ |
+ |
+ |
+ |
+
+ + + +Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. + +If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. + + + +ADMX Info: +- GP English name: *Configure Connected User Experiences and Telemetry* +- GP name: *TelemetryProxy* +- GP element: *TelemetryProxyName* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 1c14be4723..b20f24a567 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -1420,12 +1420,12 @@ Related policy: If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - <support.contoso.com><support.microsoft.com> +
-
+
What's New? |
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 371890febb..3c72b3297d 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-
+- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 665450f693..2a059112f5 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-
+- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 2f0e8fbb61..df5f2eb5b0 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-
+- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 634376dd9a..0089755870 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -9,7 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.author: brianlic
-ms.date: 09/10/2018
+ms.date: 10/03/2018
---
@@ -1818,18 +1818,14 @@ The following fields are available:
- **AdvertisingId** Current state of the advertising ID setting.
- **AppDiagnostics** Current state of the app diagnostics setting.
- **Appointments** Current state of the calendar setting.
-- **AppointmentsSystem** Current state of the calendar setting.
- **Bluetooth** Current state of the Bluetooth capability setting.
- **BluetoothSync** Current state of the Bluetooth sync capability setting.
- **BroadFileSystemAccess** Current state of the broad file system access setting.
- **CellularData** Current state of the cellular data capability setting.
- **Chat** Current state of the chat setting.
-- **ChatSystem** Current state of the chat setting.
- **Contacts** Current state of the contacts setting.
-- **ContactsSystem** Current state of the Contacts setting.
- **DocumentsLibrary** Current state of the documents library setting.
- **Email** Current state of the email setting.
-- **EmailSystem** Current state of the email setting.
- **FindMyDevice** Current state of the "find my device" setting.
- **GazeInput** Current state of the gaze input setting.
- **HumanInterfaceDevice** Current state of the human interface device setting.
@@ -1841,7 +1837,6 @@ The following fields are available:
- **Microphone** Current state of the microphone setting.
- **PhoneCall** Current state of the phone call setting.
- **PhoneCallHistory** Current state of the call history setting.
-- **PhoneCallHistorySystem** Current state of the call history setting.
- **PicturesLibrary** Current state of the pictures library setting.
- **Radios** Current state of the radios setting.
- **SensorsCustom** Current state of the custom sensor setting.
@@ -1851,7 +1846,6 @@ The following fields are available:
- **USB** Current state of the USB setting.
- **UserAccountInformation** Current state of the account information setting.
- **UserDataTasks** Current state of the tasks setting.
-- **UserDataTasksSystem** Current state of the tasks setting.
- **UserNotificationListener** Current state of the notifications setting.
- **VideosLibrary** Current state of the videos library setting.
- **Webcam** Current state of the camera setting.
@@ -1985,18 +1979,14 @@ The following fields are available:
- **AdvertisingId** Current state of the advertising ID setting.
- **AppDiagnostics** Current state of the app diagnostics setting.
- **Appointments** Current state of the calendar setting.
-- **AppointmentsSystem** Current state of the calendar setting.
- **Bluetooth** Current state of the Bluetooth capability setting.
- **BluetoothSync** Current state of the Bluetooth sync capability setting.
- **BroadFileSystemAccess** Current state of the broad file system access setting.
- **CellularData** Current state of the cellular data capability setting.
- **Chat** Current state of the chat setting.
-- **ChatSystem** Current state of the chat setting.
- **Contacts** Current state of the contacts setting.
-- **ContactsSystem** Current state of the contacts setting.
- **DocumentsLibrary** Current state of the documents library setting.
- **Email** Current state of the email setting.
-- **EmailSystem** Current state of the email setting.
- **GazeInput** Current state of the gaze input setting.
- **HumanInterfaceDevice** Current state of the human interface device setting.
- **InkTypeImprovement** Current state of the improve inking and typing setting.
@@ -2008,7 +1998,6 @@ The following fields are available:
- **Microphone** Current state of the microphone setting.
- **PhoneCall** Current state of the phone call setting.
- **PhoneCallHistory** Current state of the call history setting.
-- **PhoneCallHistorySystem** Current state of the call history setting.
- **PicturesLibrary** Current state of the pictures library setting.
- **Radios** Current state of the radios setting.
- **SensorsCustom** Current state of the custom sensor setting.
@@ -2018,7 +2007,6 @@ The following fields are available:
- **USB** Current state of the USB setting.
- **UserAccountInformation** Current state of the account information setting.
- **UserDataTasks** Current state of the tasks setting.
-- **UserDataTasksSystem** Current state of the tasks setting.
- **UserNotificationListener** Current state of the notifications setting.
- **VideosLibrary** Current state of the videos library setting.
- **Webcam** Current state of the camera setting.
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 946372eb72..6436e38396 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -1,445 +1,445 @@
----
-description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
-title: Configure Windows diagnostic data in your organization (Windows 10)
-keywords: privacy
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 04/04/2018
----
-
-# Configure Windows diagnostic data in your organization
-
-**Applies to**
-
-- Windows 10 Enterprise
-- Windows 10 Mobile
-- Windows Server
-
-At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
-
-To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
-
-- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
-- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
-- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
-- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
-- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
-- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
-
-This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
-
-Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
-
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-
-## Overview
-
-In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
-
-For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
-
-## Understanding Windows diagnostic data
-
-Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
-
-The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
-
-### What is Windows diagnostic data?
-Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
-
-- Keep Windows up to date
-- Keep Windows secure, reliable, and performant
-- Improve Windows – through the aggregate analysis of the use of Windows
-- Personalize Windows engagement surfaces
-
-Here are some specific examples of Windows diagnostic data:
-
-- Type of hardware being used
-- Applications installed and usage details
-- Reliability information on device drivers
-
-### What is NOT diagnostic data?
-
-Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request.
-
-There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
-
-If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
-
-The following are specific examples of functional data:
-
-- Current location for weather
-- Bing searches
-- Wallpaper and desktop settings synced across multiple devices
-
-### Diagnostic data gives users a voice
-
-Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
-
-### Drive higher app and driver quality
-
-Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
-
-#### Real-world example of how Windows diagnostic data helps
-There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
-
-### Improve end-user productivity
-
-Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
-
-- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
-- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
-- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
-
-**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
-
-
-### Insights into your own organization
-
-Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
-
-#### Upgrade Readiness
-
-Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
-
-To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
-
-With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
-
-Use Upgrade Readiness to get:
-
-- A visual workflow that guides you from pilot to production
-- Detailed computer, driver, and application inventory
-- Powerful computer level search and drill-downs
-- Guidance and insights into application and driver compatibility issues with suggested fixes
-- Data driven application rationalization tools
-- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools
-
-The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-
-## How is diagnostic data handled by Microsoft?
-
-### Data collection
-
-Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
-
-1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
-2. Events are gathered using public operating system event logging and tracing APIs.
-3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
-4. The Connected User Experiences and Telemetry component transmits the diagnostic data.
-
-Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
-
-### Data transmission
-
-All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
-
-The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day).
-
-
-### Endpoints
-
-The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
-
-The following table defines the endpoints for Connected User Experiences and Telemetry component:
-
-Windows release | Endpoint
---- | ---
-Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1Functional: v20.vortex-win.data.microsoft.com/collect/v1Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1settings-win.data.microsoft.com
-Windows 10, version 1607 | v10.vortex-win.data.microsoft.comsettings-win.data.microsoft.com
-
-The following table defines the endpoints for other diagnostic data services:
-
-| Service | Endpoint |
-| - | - |
-| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
-| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
-| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
-
-### Data use and access
-
-The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
-
-### Retention
-
-Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
-
-## Diagnostic data levels
-This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
-
-The diagnostic data is categorized into four levels:
-
-- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
-
-- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
-
-- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
-
-- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
-
-The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016.
-
-
-
-### Security level
-
-The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
-
-> [!NOTE]
-> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
-
-Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
-
-The data gathered at this level includes:
-
-- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
-
-- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
-
- > [!NOTE]
- > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
-
-- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
-
- > [!NOTE]
- > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
-
- Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
-
-For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
-
-No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
-
-### Basic level
-
-The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
-
-The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
-
-The data gathered at this level includes:
-
-- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
-
- - Device attributes, such as camera resolution and display type
-
- - Internet Explorer version
-
- - Battery attributes, such as capacity and type
-
- - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
-
- - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
-
- - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
-
- - Operating system attributes, such as Windows edition and virtualization state
-
- - Storage attributes, such as number of drives, type, and size
-
-- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
-
-- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
-
-- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
-
- - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
-
- - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
-
- - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
-
- - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
-
- - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
-
-- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
-
-
-### Enhanced level
-
-The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
-
-This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
-
-The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
-
-The data gathered at this level includes:
-
-- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
-
-- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
-
-- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
-
-- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
-
-If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
-
-#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics
-Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
-
-In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
-
-- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
-
-- **Some crash dump types.** All crash dump types, except for heap and full dumps.
-
-**To turn on this behavior for devices**
-
-1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM.
-
- a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**.
-
- -OR-
-
- b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**.
-
- -AND-
-
-2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
-
- a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
-
- -OR-
-
- b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
-
-### Full level
-
-The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro.
-
-Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
-
-If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
-
-However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
-
-- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
-
-- Ability to get registry keys.
-
-- All crash dump types, including heap dumps and full dumps.
-
-## Enterprise management
-
-Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
-
-Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
-
-IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface.
-
-
-### Manage your diagnostic data settings
-
-We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
-
-> [!IMPORTANT]
-> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](https://technet.microsoft.com/library/jj863580.aspx).
-
-You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on.
-
-The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**.
-
-### Configure the operating system diagnostic data level
-
-You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device.
-
-Use the appropriate value in the table below when you configure the management policy.
-
-| Level | Data gathered | Value |
-| - | - | - |
-| Security | Security data only. | **0** |
-| Basic | Security data, and basic system and quality data. | **1** |
-| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
-| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
-
- > [!NOTE]
- > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting.
-
-### Use Group Policy to set the diagnostic data level
-
-Use a Group Policy object to set your organization’s diagnostic data level.
-
-1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
-
-2. Double-click **Allow Telemetry**.
-
-3. In the **Options** box, select the level that you want to configure, and then click **OK**.
-
-### Use MDM to set the diagnostic data level
-
-Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
-
-### Use Registry Editor to set the diagnostic data level
-
-Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
-
-1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
-
-2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
-
-3. Type **AllowTelemetry**, and then press ENTER.
-
-4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
-
-5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
-
-### Configure System Center 2016 diagnostic data
-
-For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps:
-
-- Turn off diagnostic data by using the System Center UI Console settings workspace.
-
-- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
-
-### Additional diagnostic data controls
-
-There are a few more settings that you can turn off that may send diagnostic data information:
-
-- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
-
-- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
-
-- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
-
-- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
-
- > [!NOTE]
- > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
-
-## Additional resources
-
-FAQs
-
-- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy)
-- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
-- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy)
-- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy)
-- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
-- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq)
-- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
-- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
-- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization)
-
-Blogs
-
-- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
-
-Privacy Statement
-
-- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
-
-TechNet
-
-- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-
-Web Pages
-
-- [Privacy at Microsoft](https://privacy.microsoft.com)
-
-
+---
+description: Use this article to make informed decisions about how you can configure diagnostic data in your organization.
+title: Configure Windows diagnostic data in your organization (Windows 10)
+keywords: privacy
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: brianlic-msft
+ms.date: 04/04/2018
+---
+
+# Configure Windows diagnostic data in your organization
+
+**Applies to**
+
+- Windows 10 Enterprise
+- Windows 10 Mobile
+- Windows Server
+
+At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how.
+
+To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways:
+
+- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools.
+- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions.
+- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection.
+- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right.
+- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting.
+- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers.
+
+This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
+
+Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
+
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
+
+## Overview
+
+In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM.
+
+For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
+
+## Understanding Windows diagnostic data
+
+Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
+
+The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
+
+### What is Windows diagnostic data?
+Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
+
+- Keep Windows up to date
+- Keep Windows secure, reliable, and performant
+- Improve Windows – through the aggregate analysis of the use of Windows
+- Personalize Windows engagement surfaces
+
+Here are some specific examples of Windows diagnostic data:
+
+- Type of hardware being used
+- Applications installed and usage details
+- Reliability information on device drivers
+
+### What is NOT diagnostic data?
+
+Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request.
+
+There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
+
+If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+
+The following are specific examples of functional data:
+
+- Current location for weather
+- Bing searches
+- Wallpaper and desktop settings synced across multiple devices
+
+### Diagnostic data gives users a voice
+
+Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
+
+### Drive higher app and driver quality
+
+Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
+
+#### Real-world example of how Windows diagnostic data helps
+There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
+
+### Improve end-user productivity
+
+Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are:
+
+- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time.
+- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance.
+- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature.
+
+**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
+
+
+### Insights into your own organization
+
+Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+
+#### Upgrade Readiness
+
+Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
+
+To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
+
+With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
+
+Use Upgrade Readiness to get:
+
+- A visual workflow that guides you from pilot to production
+- Detailed computer, driver, and application inventory
+- Powerful computer level search and drill-downs
+- Guidance and insights into application and driver compatibility issues with suggested fixes
+- Data driven application rationalization tools
+- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
+- Data export to commonly used software deployment tools
+
+The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
+
+## How is diagnostic data handled by Microsoft?
+
+### Data collection
+
+Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
+
+1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
+2. Events are gathered using public operating system event logging and tracing APIs.
+3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
+4. The Connected User Experiences and Telemetry component transmits the diagnostic data.
+
+Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
+
+### Data transmission
+
+All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
+
+The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day).
+
+
+### Endpoints
+
+The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
+
+The following table defines the endpoints for Connected User Experiences and Telemetry component:
+
+Windows release | Endpoint
+--- | ---
+Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1Functional: v20.vortex-win.data.microsoft.com/collect/v1Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1settings-win.data.microsoft.com
+Windows 10, version 1607 | v10.vortex-win.data.microsoft.comsettings-win.data.microsoft.com
+
+The following table defines the endpoints for other diagnostic data services:
+
+| Service | Endpoint |
+| - | - |
+| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
+| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
+| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
+
+### Data use and access
+
+The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
+
+### Retention
+
+Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
+
+## Diagnostic data levels
+This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
+
+The diagnostic data is categorized into four levels:
+
+- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+
+- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level.
+
+- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
+
+- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
+
+The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016.
+
+
+
+### Security level
+
+The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
+
+> [!NOTE]
+> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
+
+Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
+
+The data gathered at this level includes:
+
+- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
+
+- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
+
+ > [!NOTE]
+ > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
+
+- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
+
+ > [!NOTE]
+ > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
+
+ Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
+
+For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity.
+
+No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
+
+### Basic level
+
+The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent.
+
+The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
+
+The data gathered at this level includes:
+
+- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include:
+
+ - Device attributes, such as camera resolution and display type
+
+ - Internet Explorer version
+
+ - Battery attributes, such as capacity and type
+
+ - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number
+
+ - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware
+
+ - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system
+
+ - Operating system attributes, such as Windows edition and virtualization state
+
+ - Storage attributes, such as number of drives, type, and size
+
+- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time.
+
+- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app.
+
+- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems.
+
+ - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
+
+ - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
+
+ - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS.
+
+ - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system.
+
+ - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
+
+- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses.
+
+
+### Enhanced level
+
+The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
+
+This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
+
+The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
+
+The data gathered at this level includes:
+
+- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components.
+
+- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge.
+
+- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
+
+- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps.
+
+If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue.
+
+#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics
+Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**.
+
+In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic.
+
+- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic.
+
+- **Some crash dump types.** All crash dump types, except for heap and full dumps.
+
+**To turn on this behavior for devices**
+
+1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM.
+
+ a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**.
+
+ -OR-
+
+ b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**.
+
+ -AND-
+
+2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
+
+ a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
+
+ -OR-
+
+ b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
+
+### Full level
+
+The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro.
+
+Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
+
+If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem.
+
+However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information:
+
+- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe.
+
+- Ability to get registry keys.
+
+- All crash dump types, including heap dumps and full dumps.
+
+## Enterprise management
+
+Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option.
+
+Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available.
+
+IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface.
+
+
+### Manage your diagnostic data settings
+
+We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
+
+> [!IMPORTANT]
+> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](https://technet.microsoft.com/library/jj863580.aspx).
+
+You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on.
+
+The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**.
+
+### Configure the operating system diagnostic data level
+
+You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device.
+
+Use the appropriate value in the table below when you configure the management policy.
+
+| Level | Data gathered | Value |
+| - | - | - |
+| Security | Security data only. | **0** |
+| Basic | Security data, and basic system and quality data. | **1** |
+| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
+| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
+
+ > [!NOTE]
+ > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting.
+
+### Use Group Policy to set the diagnostic data level
+
+Use a Group Policy object to set your organization’s diagnostic data level.
+
+1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**.
+
+2. Double-click **Allow Telemetry**.
+
+3. In the **Options** box, select the level that you want to configure, and then click **OK**.
+
+### Use MDM to set the diagnostic data level
+
+Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
+
+### Use Registry Editor to set the diagnostic data level
+
+Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
+
+1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
+
+2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
+
+3. Type **AllowTelemetry**, and then press ENTER.
+
+4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.**
+
+5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization.
+
+### Configure System Center 2016 diagnostic data
+
+For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps:
+
+- Turn off diagnostic data by using the System Center UI Console settings workspace.
+
+- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505).
+
+### Additional diagnostic data controls
+
+There are a few more settings that you can turn off that may send diagnostic data information:
+
+- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+
+- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
+
+- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
+
+- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
+
+ > [!NOTE]
+ > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
+
+## Additional resources
+
+FAQs
+
+- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy)
+- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy)
+- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy)
+- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy)
+- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy)
+- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq)
+- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy)
+- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense)
+- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization)
+
+Blogs
+
+- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
+
+Privacy Statement
+
+- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+
+TechNet
+
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+
+Web Pages
+
+- [Privacy at Microsoft](https://privacy.microsoft.com)
+
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 1ad4aaad24..6a8e0bd587 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -19,7 +19,7 @@ ms.date: 08/18/2018
- Certificate trust
-You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
+Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
@@ -514,4 +514,4 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. Configure Azure Device Registration (*You are here*)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index f6a16d45b9..f14eedf3af 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -24,7 +24,7 @@ Windows Hello for Business deployments rely on certificates. Hybrid deployments
All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorities to provide defense-in-depth security for issuing user authentication certificates.
-## Certifcate Templates
+## Certificate Templates
This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority.
@@ -146,7 +146,8 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ
>[!NOTE]
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
-Publish Templates
+
+## Publish Templates
### Publish Certificate Templates to a Certificate Authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 00a4885e90..eef0b8f4a8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -23,10 +23,10 @@ Hybrid environments are distributed systems that enable organizations to use on-
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
* [Directories](#directories)
-* [Public Key Infrastucture](#public-key-infastructure)
+* [Public Key Infrastructure](#public-key-infrastructure)
* [Directory Synchronization](#directory-synchronization)
* [Federation](#federation)
-* [MultiFactor Authetication](#multifactor-authentication)
+* [MultiFactor Authentication](#multifactor-authentication)
* [Device Registration](#device-registration)
## Directories ##
@@ -114,9 +114,9 @@ Organizations wanting to deploy hybrid key trust need their domain joined device