diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index a55bdccdcb..55233dabcb 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1410,6 +1410,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
Display/DisablePerProcessDpiForApps
Display/EnablePerProcessDpi
Display/EnablePerProcessDpiForApps
+Experience/AllowWindowsSpotlightOnSettings
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 3791a903e5..1d2ee6afaa 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1082,6 +1082,9 @@ The following diagram shows the Policy configuration service provider in tree fo
-
Experience/AllowWindowsSpotlightOnActionCenter
+ -
+ Experience/AllowWindowsSpotlightOnSettings
+
-
Experience/AllowWindowsSpotlightWindowsWelcomeExperience
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index fbdad3f72a..8d5e6e3703 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -72,6 +72,9 @@ ms.date: 02/26/2018
-
Experience/AllowWindowsSpotlightOnActionCenter
+ -
+ Experience/AllowWindowsSpotlightOnSettings
+
-
Experience/AllowWindowsSpotlightWindowsWelcomeExperience
@@ -932,6 +935,67 @@ The following list shows the supported values:
+
+**Experience/AllowWindowsSpotlightOnSettings**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  |
+ |
+  4 |
+ 4 |
+ |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Added in Windows 10, version 1083. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive.
+
+- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app.
+- User Setting is changeable on a per user basis.
+- If the Group policy is set to off, no suggestions will be shown to the user in Settings app.
+
+
+
+The following list shows the supported values:
+
+- 0 - Not allowed.
+- 1 - Allowed.
+
+
+
+
+
+
+
+
+
+
+
+
+
**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 72cac2741a..406db3df06 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/05/2017
+ms.date: 02/26/2018
---
# Policy DDF file
@@ -24,7 +24,7 @@ You can download the DDF files from the links below:
- [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
- [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)
-The XML below is the DDF for Windows 10, version 1709.
+The XML below is the DDF for Windows 10, version 1803.
``` syntax
@@ -50,7 +50,7 @@ The XML below is the DDF for Windows 10, version 1709.
- com.microsoft/6.0/MDM/Policy
+ com.microsoft/7.0/MDM/Policy
@@ -58,8 +58,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -79,8 +79,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -125,8 +125,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -219,8 +219,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -265,8 +265,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -359,8 +359,8 @@ The XML below is the DDF for Windows 10, version 1709.
-
+
@@ -447,6 +447,30 @@ The XML below is the DDF for Windows 10, version 1709.
+
+ AllowConfigurationUpdateForBooksLibrary
+
+
+
+
+
+
+
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
AllowCookies
@@ -875,6 +899,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+
+
+
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
EnterpriseModeSiteList
@@ -1131,6 +1179,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ PreventTabPreloading
+
+
+
+
+
+
+
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
PreventUsingLocalHostIPAddressForWebRTC
@@ -1288,14 +1360,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ UseSharedFolderForBooks
+
+
+
+
+
+
+
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
CredentialsUI
-
+
@@ -1340,8 +1436,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1381,13 +1477,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ Display
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
Education
-
+
@@ -1480,8 +1622,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1646,8 +1788,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -1710,30 +1852,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
- AllowWindowsConsumerFeatures
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
AllowWindowsSpotlight
@@ -1782,6 +1900,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowWindowsSpotlightOnSettings
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
AllowWindowsSpotlightWindowsWelcomeExperience
@@ -1836,8 +1978,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -3508,6 +3650,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -4828,6 +4994,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
LockedDownIntranetZoneAllowAccessToDataSources
@@ -6652,6 +6842,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -7541,13 +7755,179 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockedUrls
+
+
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefaultURL
+
+
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableHomeButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableNavigationButtons
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestartOnIdleTime
+
+
+
+
+
+
+
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
Notifications
-
+
@@ -7592,8 +7972,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7638,8 +8018,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7684,8 +8064,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7700,6 +8080,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DisableContextMenus
+
+
+
+
+
+
+
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
HidePeopleBar
@@ -7754,8 +8158,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7795,6 +8199,52 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
Result
@@ -7840,8 +8290,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -7854,6 +8304,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ RequirePrivateStoreOnly_1
HighestValueMostSecure
@@ -7883,8 +8337,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7910,8 +8364,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7937,8 +8391,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -7984,8 +8438,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -8028,8 +8482,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8055,8 +8509,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8082,8 +8536,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -8129,8 +8583,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
1
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
@@ -8145,6 +8599,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAddressBarDropdown
LowestValueMostSecure
@@ -8154,8 +8611,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
0
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
@@ -8169,6 +8626,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAutofill
LowestValueMostSecure
@@ -8178,8 +8638,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -8198,13 +8658,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- AllowCookies
+ AllowConfigurationUpdateForBooksLibrary
- This setting lets you configure how your company deals with cookies.
- 2
+ 1
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
@@ -8217,6 +8677,35 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowCookies
+
+
+
+
+ 2
+ This setting lets you configure how your company deals with cookies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ CookiesListBox
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ Cookies
LowestValueMostSecure
@@ -8226,8 +8715,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
1
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
@@ -8242,6 +8731,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDeveloperTools
LowestValueMostSecure
@@ -8251,8 +8743,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
0
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
@@ -8266,6 +8758,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDoNotTrack
LowestValueMostSecure
@@ -8275,8 +8770,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can load extensions in Microsoft Edge.
1
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
@@ -8291,6 +8786,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowExtensions
LowestValueMostSecure
@@ -8300,8 +8798,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
1
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
@@ -8316,6 +8814,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlash
HighestValueMostSecure
@@ -8325,8 +8826,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Configure the Adobe Flash Click-to-Run setting.
1
+ Configure the Adobe Flash Click-to-Run setting.
@@ -8341,6 +8842,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashClickToRun
HighestValueMostSecure
@@ -8350,8 +8854,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This setting lets you decide whether employees can browse using InPrivate website browsing.
1
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
@@ -8365,6 +8869,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowInPrivate
LowestValueMostSecure
@@ -8374,12 +8881,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 1
This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
- 1
@@ -8393,6 +8900,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowCVList
LowestValueMostSecure
@@ -8402,8 +8912,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether employees can save their passwords locally, using Password Manager.
1
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
@@ -8417,6 +8927,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPasswordManager
LowestValueMostSecure
@@ -8426,8 +8939,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
0
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
@@ -8442,6 +8955,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPopups
LowestValueMostSecure
@@ -8451,13 +8967,13 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
+ 1
Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
- 1
@@ -8471,6 +8987,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchEngineCustomization
LowestValueMostSecure
@@ -8480,8 +8999,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
1
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
@@ -8495,6 +9014,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchSuggestionsinAddressBar
LowestValueMostSecure
@@ -8504,8 +9026,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether to turn on Windows Defender SmartScreen.
1
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
@@ -8519,6 +9041,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSmartScreen
LowestValueMostSecure
@@ -8528,8 +9053,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
0
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
@@ -8543,6 +9068,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AlwaysEnableBooksLibrary
LowestValueMostSecure
@@ -8552,8 +9080,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether to always clear browsing history on exiting Microsoft Edge.
0
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
@@ -8568,6 +9096,9 @@ This policy will only apply on domain joined machines or when the device is MDM
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowClearingBrowsingDataOnExit
LowestValueMostSecure
@@ -8577,6 +9108,7 @@ This policy will only apply on domain joined machines or when the device is MDM
+
Allows you to add up to 5 additional search engines for MDM-enrolled devices.
If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
@@ -8584,7 +9116,6 @@ If this setting is turned on, you can add up to 5 additional search engines for
If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -8597,6 +9128,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ ConfigureAdditionalSearchEngines_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfigureAdditionalSearchEngines
LastWrite
@@ -8606,13 +9141,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0
Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
Note: This policy has no effect when Browser/HomePages is not configured.
Important
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- 0
@@ -8627,6 +9162,36 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ DisableLockdownOfStartPages
+ LowestValueMostSecure
+
+
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+ 0
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnableExtendedBooksTelemetry
LowestValueMostSecure
@@ -8636,8 +9201,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
@@ -8651,6 +9216,10 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plain
phone
+ MicrosoftEdge.admx
+ EnterSiteListPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnterpriseModeSiteList
LastWrite
@@ -8660,8 +9229,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
-
+
@@ -8684,8 +9253,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- Configure first run URL.
+ Configure first run URL.
@@ -8708,13 +9277,13 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
Configure the Start page URLs for your employees.
Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
-
@@ -8728,6 +9297,10 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
text/plain
phone
+ MicrosoftEdge.admx
+ HomePagesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HomePages
LastWrite
@@ -8737,6 +9310,7 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
+ 0
This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
@@ -8745,7 +9319,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
- 0
@@ -8759,6 +9332,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ LockdownFavorites
LowestValueMostSecure
@@ -8768,8 +9344,8 @@ If you disable or don't configure this setting (default), employees can add, imp
- Prevent access to the about:flags page in Microsoft Edge.
0
+ Prevent access to the about:flags page in Microsoft Edge.
@@ -8783,6 +9359,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventAccessToAboutFlagsInMicrosoftEdge
HighestValueMostSecure
@@ -8792,10 +9371,10 @@ If you disable or don't configure this setting (default), employees can add, imp
+ 0
Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -8810,6 +9389,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventFirstRunPage
HighestValueMostSecure
@@ -8819,10 +9401,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0
This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -8836,6 +9418,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventLiveTileDataCollection
HighestValueMostSecure
@@ -8845,8 +9430,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides
0
+ Don't allow Windows Defender SmartScreen warning overrides
@@ -8860,6 +9445,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverride
HighestValueMostSecure
@@ -8869,8 +9457,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides for unverified files.
0
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
@@ -8884,6 +9472,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideForFiles
+ HighestValueMostSecure
+
+
+
+ PreventTabPreloading
+
+
+
+
+ 0
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventTabPreloading
HighestValueMostSecure
@@ -8893,8 +9512,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Prevent using localhost IP address for WebRTC
0
+ Prevent using localhost IP address for WebRTC
@@ -8908,6 +9527,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HideLocalHostIPAddress
HighestValueMostSecure
@@ -8917,6 +9539,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
@@ -8925,7 +9548,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
@@ -8938,6 +9560,10 @@ If you disable or don't configure this setting, employees will see the favorites
text/plain
+ MicrosoftEdge.admx
+ ConfiguredFavoritesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfiguredFavorites
LastWrite
@@ -8947,8 +9573,8 @@ If you disable or don't configure this setting, employees will see the favorites
- Sends all intranet traffic over to Internet Explorer.
0
+ Sends all intranet traffic over to Internet Explorer.
@@ -8963,6 +9589,9 @@ If you disable or don't configure this setting, employees will see the favorites
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SendIntranetTraffictoInternetExplorer
HighestValueMostSecure
@@ -8972,6 +9601,7 @@ If you disable or don't configure this setting, employees will see the favorites
+
Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
@@ -8979,7 +9609,6 @@ If this setting is turned on, you are setting the default search engine that you
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -8992,6 +9621,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ SetDefaultSearchEngine_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SetDefaultSearchEngine
LastWrite
@@ -9001,8 +9634,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Show message when opening sites in Internet Explorer
0
+ Show message when opening sites in Internet Explorer
@@ -9017,6 +9650,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ShowMessageWhenOpeningSitesInInternetExplorer
HighestValueMostSecure
@@ -9026,8 +9662,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
0
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
@@ -9042,6 +9678,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+ LowestValueMostSecure
+
+
+
+ UseSharedFolderForBooks
+
+
+
+
+ 0
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ UseSharedFolderForBooks
LowestValueMostSecure
@@ -9071,8 +9737,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9118,8 +9784,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9140,6 +9806,55 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ Display
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Display.admx
+ DisplayGlobalPerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LowestValueMostSecure
+
+
+
Education
@@ -9165,8 +9880,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy sets user's default printer
+ This policy sets user's default printer
@@ -9188,8 +9903,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Boolean that specifies whether or not to prevent user to install new printers
0
+ Boolean that specifies whether or not to prevent user to install new printers
@@ -9203,6 +9918,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ Printing.admx
+ Printing~AT~ControlPanel~CplPrinters
+ NoAddPrinter
HighestValueMostSecure
@@ -9212,8 +9930,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy provisions per-user network printers
+ This policy provisions per-user network printers
@@ -9255,8 +9973,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy provisions per-user discovery end point to discover cloud printers
+ This policy provisions per-user discovery end point to discover cloud printers
@@ -9278,8 +9996,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Authentication endpoint for acquiring OAuth tokens
+ Authentication endpoint for acquiring OAuth tokens
@@ -9301,8 +10019,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority
+ A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority
@@ -9324,8 +10042,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication
+ Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication
@@ -9347,8 +10065,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Defines the maximum number of printers that should be queried from discovery end point
20
+ Defines the maximum number of printers that should be queried from discovery end point
@@ -9361,6 +10079,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
LastWrite
@@ -9370,8 +10089,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication
+ Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication
@@ -9413,8 +10132,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -9428,6 +10147,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableTailoredExperiencesWithDiagnosticData
LowestValueMostSecure
@@ -9437,33 +10159,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- LowestValueMostSecure
-
-
-
- AllowWindowsConsumerFeatures
-
-
-
-
- 0
@@ -9478,6 +10175,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableThirdPartySuggestions
LowestValueMostSecure
@@ -9487,8 +10187,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -9503,6 +10203,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightFeatures
LowestValueMostSecure
@@ -9512,8 +10215,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -9527,6 +10230,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightOnActionCenter
+ LowestValueMostSecure
+
+
+
+ AllowWindowsSpotlightOnSettings
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightOnSettings
LowestValueMostSecure
@@ -9536,8 +10269,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -9551,6 +10284,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsSpotlightWindowsWelcomeExperience
LowestValueMostSecure
@@ -9560,8 +10296,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -9574,7 +10310,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ ConfigureWindowsSpotlight
LowestValueMostSecure
@@ -9604,8 +10344,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9631,8 +10371,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9658,8 +10398,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9685,8 +10425,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9712,8 +10452,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9739,8 +10479,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9766,8 +10506,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9793,8 +10533,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9820,8 +10560,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9847,8 +10587,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9874,8 +10614,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9901,8 +10641,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9928,8 +10668,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9955,8 +10695,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -9982,8 +10722,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10009,8 +10749,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10036,8 +10776,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10063,8 +10803,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10090,8 +10830,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10117,8 +10857,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10144,8 +10884,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10171,8 +10911,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10198,8 +10938,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10225,8 +10965,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10252,8 +10992,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10279,8 +11019,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10306,8 +11046,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10333,8 +11073,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10349,8 +11089,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction
- IESF_PolicyExplorerProcesses_2
+ inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling
+ IESF_PolicyExplorerProcesses_5
LastWrite
@@ -10360,8 +11100,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10387,8 +11127,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10414,8 +11154,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10441,8 +11181,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10468,8 +11208,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10495,8 +11235,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10522,8 +11262,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10549,8 +11289,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10576,8 +11316,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10603,8 +11343,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10630,8 +11370,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10657,8 +11397,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10684,8 +11424,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10711,8 +11451,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10738,8 +11478,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10765,8 +11505,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10792,8 +11532,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10819,8 +11559,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10846,8 +11586,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10873,8 +11613,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10900,8 +11640,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10927,8 +11667,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10954,8 +11694,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -10981,8 +11721,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11008,8 +11748,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11035,8 +11775,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11062,8 +11802,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11089,8 +11829,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11116,8 +11856,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11143,8 +11883,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11170,8 +11910,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11197,8 +11937,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11224,8 +11964,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11251,8 +11991,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11278,8 +12018,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11305,8 +12045,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11332,8 +12072,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11359,8 +12099,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11386,8 +12126,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11413,8 +12153,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11440,8 +12180,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11461,14 +12201,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowVBScript_1
+ LastWrite
+
+
InternetZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -11494,8 +12261,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11521,8 +12288,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11548,8 +12315,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11575,8 +12342,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11602,8 +12369,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11629,8 +12396,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11656,8 +12423,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11683,8 +12450,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11710,8 +12477,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11737,8 +12504,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11764,8 +12531,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11791,8 +12558,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11818,8 +12585,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11845,8 +12612,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11872,8 +12639,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11899,8 +12666,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11926,8 +12693,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11953,8 +12720,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -11980,8 +12747,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12007,8 +12774,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12034,8 +12801,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12061,8 +12828,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12088,8 +12855,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12115,8 +12882,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12142,8 +12909,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12169,8 +12936,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12196,8 +12963,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12223,8 +12990,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12250,8 +13017,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12277,8 +13044,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12304,8 +13071,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12331,8 +13098,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12358,8 +13125,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12385,8 +13152,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12412,8 +13179,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12439,8 +13206,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12466,8 +13233,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12493,8 +13260,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12520,8 +13287,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12547,8 +13314,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12574,8 +13341,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12601,8 +13368,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12628,8 +13395,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12655,8 +13422,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12682,8 +13449,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12709,8 +13476,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12736,8 +13503,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12763,8 +13530,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12790,8 +13557,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12817,8 +13584,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12844,8 +13611,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12871,8 +13638,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12898,8 +13665,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12925,8 +13692,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -12946,14 +13713,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown
+ IZ_PolicyJavaPermissions_4
+ LastWrite
+
+
LockedDownIntranetZoneAllowAccessToDataSources
-
+
@@ -12979,8 +13773,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13006,8 +13800,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13033,8 +13827,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13060,8 +13854,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13087,8 +13881,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13114,8 +13908,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13141,8 +13935,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13168,8 +13962,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13195,8 +13989,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13222,8 +14016,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13249,8 +14043,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13276,8 +14070,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13303,8 +14097,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13330,8 +14124,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13357,8 +14151,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13384,8 +14178,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13411,8 +14205,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13438,8 +14232,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13465,8 +14259,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13492,8 +14286,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13519,8 +14313,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13546,8 +14340,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13573,8 +14367,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13600,8 +14394,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13627,8 +14421,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13654,8 +14448,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13681,8 +14475,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13708,8 +14502,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13735,8 +14529,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13762,8 +14556,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13789,8 +14583,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13816,8 +14610,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13843,8 +14637,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13870,8 +14664,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13897,8 +14691,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13924,8 +14718,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13951,8 +14745,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -13978,8 +14772,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14005,8 +14799,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14032,8 +14826,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14059,8 +14853,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14086,8 +14880,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14113,8 +14907,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14140,8 +14934,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14167,8 +14961,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14194,8 +14988,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14221,8 +15015,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14248,8 +15042,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14275,8 +15069,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14302,8 +15096,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14329,8 +15123,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14356,8 +15150,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14383,8 +15177,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14410,8 +15204,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14437,8 +15231,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14464,8 +15258,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14491,8 +15285,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14518,8 +15312,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14545,8 +15339,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14572,8 +15366,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14599,8 +15393,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14626,8 +15420,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14653,8 +15447,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14680,8 +15474,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14707,8 +15501,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14734,8 +15528,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14761,8 +15555,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14788,8 +15582,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14815,8 +15609,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14842,8 +15636,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14869,8 +15663,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14896,8 +15690,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14923,8 +15717,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14950,8 +15744,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14977,8 +15771,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -14998,14 +15792,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LastWrite
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowVBScript_7
+ LastWrite
+
+
RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -15031,8 +15852,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15058,8 +15879,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15085,8 +15906,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15112,8 +15933,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15139,8 +15960,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15166,8 +15987,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15193,8 +16014,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15220,8 +16041,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15247,8 +16068,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15274,8 +16095,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15301,8 +16122,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15328,8 +16149,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15355,8 +16176,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15382,8 +16203,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15409,8 +16230,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15436,8 +16257,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15463,8 +16284,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15490,8 +16311,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15517,8 +16338,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15544,8 +16365,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15571,8 +16392,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15598,8 +16419,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15625,8 +16446,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15652,8 +16473,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15679,8 +16500,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15706,8 +16527,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15733,8 +16554,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15760,8 +16581,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15787,8 +16608,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15814,8 +16635,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15841,8 +16662,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15868,8 +16689,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15895,8 +16716,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15922,8 +16743,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15949,8 +16770,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15976,8 +16797,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -15998,6 +16819,173 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ BlockedUrls
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ DefaultURL
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ EnableHomeButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableNavigationButtons
+
+
+
+
+ 0
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ RestartOnIdleTime
+
+
+
+
+ 0
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
Notifications
@@ -16023,8 +17011,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -16038,6 +17026,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoNotificationMirroring
LowestValueMostSecure
@@ -16067,8 +17058,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16114,8 +17105,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -16128,6 +17119,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ Taskbar.admx
+ Taskbar~AT~StartMenu~TPMCategory
+ ConfigureTaskbarCalendar
LastWrite
@@ -16152,13 +17147,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- HidePeopleBar
+ DisableContextMenus
- Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
0
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
@@ -16173,6 +17168,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ DisableContextMenusInStart
+ LowestValueMostSecure
+
+
+
+ HidePeopleBar
+
+
+
+
+ 0
+ Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ HidePeopleBar
LowestValueMostSecure
@@ -16182,8 +17208,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16197,6 +17223,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ LockedStartLayout
LastWrite
@@ -16226,8 +17255,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
3
+
@@ -16240,10 +17269,62 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ DataCollection.admx
+ AllowTelemetry
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowTelemetry
LowestValueMostSecure
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ PowerShellExecutionPolicy.admx
+ PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell
+ EnableScriptBlockLogging
+ LastWrite
+
+
+
@@ -16263,7 +17344,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- com.microsoft/6.0/MDM/Policy
+ com.microsoft/7.0/MDM/Policy
@@ -16271,8 +17352,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
Policy CSP ConfigOperations
@@ -16293,8 +17374,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
Win32 App ADMX Ingestion
@@ -16315,8 +17396,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
Win32 App Name
@@ -16337,8 +17418,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
Setting Type of Win32 App. Policy Or Preference
@@ -16359,8 +17440,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
Unique ID of ADMX file
@@ -16386,8 +17467,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16407,8 +17488,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16501,8 +17582,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16619,8 +17700,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16665,8 +17746,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -16705,14 +17786,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ EnableAppUriHandlers
+
+
+
+
+
+
+
+ Enables web-to-app linking, which allows apps to be launched with a http(s) URI
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
ApplicationManagement
-
+
@@ -16968,13 +18073,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AppRuntime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowMicrosoftAccountsToBeOptional
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
AppVirtualization
-
+
@@ -17667,8 +18818,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17731,30 +18882,6 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
- AllowFidoDeviceSignon
-
-
-
-
-
-
-
- Specifies whether FIDO device can be used to sign on.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
AllowSecondaryAuthenticationDevice
@@ -17785,8 +18912,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17879,8 +19006,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -17925,8 +19052,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -18013,6 +19140,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowPromptedProximalConnections
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
LocalDeviceName
@@ -18067,8 +19218,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -18155,6 +19306,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowConfigurationUpdateForBooksLibrary
+
+
+
+
+
+
+
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
AllowCookies
@@ -18583,6 +19758,30 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+
+
+
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
EnterpriseModeSiteList
@@ -18839,6 +20038,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ PreventTabPreloading
+
+
+
+
+
+
+
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
PreventUsingLocalHostIPAddressForWebRTC
@@ -18996,14 +20219,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ UseSharedFolderForBooks
+
+
+
+
+
+
+
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
Camera
-
+
@@ -19048,8 +20295,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19121,7 +20368,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19145,7 +20392,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -19190,8 +20437,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19326,6 +20573,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ AllowPhonePCLinking
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
AllowUSBConnection
@@ -19544,12 +20815,56 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- CredentialProviders
+ ControlPolicyConflict
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MDMWinsOverGP
+
+
+
+
+
+
+ If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ CredentialProviders
+
+
+
+
@@ -19637,13 +20952,59 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ CredentialsDelegation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteHostAllowsDelegationOfNonExportableCredentials
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
CredentialsUI
-
+
@@ -19712,8 +21073,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19782,8 +21143,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19852,8 +21213,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -19922,8 +21283,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -20784,8 +22145,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -20849,7 +22210,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- DOCacheHost
+ DODelayBackgroundDownloadFromHttp
@@ -20859,7 +22220,31 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DODelayForegroundDownloadFromHttp
+
+
+
+
+
+
+
+
+
+
@@ -20920,6 +22305,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOGroupIdSource
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
DOMaxCacheAge
@@ -21184,6 +22593,30 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOPercentageMaxBackgroundBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
DOPercentageMaxDownloadBandwidth
@@ -21208,14 +22641,110 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ DOPercentageMaxForegroundBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DORestrictPeerSelectionBy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DOSetHoursToLimitBackgroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DOSetHoursToLimitForegroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
DeviceGuard
-
+
@@ -21308,8 +22837,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -21378,8 +22907,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -21758,6 +23287,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ PreventEnablingLockScreenCamera
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
PreventLockScreenSlideShow
@@ -21812,8 +23365,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -21828,6 +23381,78 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ DisablePerProcessDpiForApps
+
+
+
+
+
+
+
+ This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnablePerProcessDpiForApps
+
+
+
+
+
+
+
+ This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
TurnOffGdiDPIScalingForApps
@@ -21882,8 +23507,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22024,8 +23649,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22142,8 +23767,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22446,6 +24071,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ AllowWindowsConsumerFeatures
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
AllowWindowsTips
@@ -22500,8 +24149,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22541,13 +24190,83 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ FileExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOffDataExecutionPreventionForExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TurnOffHeapTerminationOnCorruption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
Games
-
+
@@ -22592,8 +24311,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -22638,8 +24357,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -24358,6 +26077,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
InternetZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -25678,6 +27421,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
LockedDownIntranetZoneAllowAccessToDataSources
@@ -27502,6 +29269,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
@@ -28055,7 +29846,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
@@ -28420,8 +30211,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -28557,13 +30348,179 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockedUrls
+
+
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DefaultURL
+
+
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableHomeButton
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableNavigationButtons
+
+
+
+
+
+
+
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestartOnIdleTime
+
+
+
+
+
+
+
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
Licensing
-
+
@@ -28632,8 +30589,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -28958,6 +30915,225 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
+
+ DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+
+
+
+
+
+ Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+
+
+
+
+
+ Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+
+
+
+
+
+
+ Domain member: Digitally sign secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
+
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_DisableMachineAccountPasswordChanges
+
+
+
+
+
+
+
+ Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_MaximumMachineAccountPasswordAge
+
+
+
+
+
+
+
+ Domain member: Maximum machine account password age
+
+This security setting determines how often a domain member will attempt to change its computer account password.
+
+Default: 30 days.
+
+Important
+
+This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DomainMember_RequireStrongSessionKey
+
+
+
+
+
+
+
+ Domain member: Require strong (Windows 2000 or later) session key
+
+This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
+
+Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+Domain member: Digitally encrypt secure channel data (when possible)
+Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
+
+If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
+
+Default: Enabled.
+
+Important
+
+In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
+In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
@@ -29164,6 +31340,404 @@ Default: No message.
+
+ InteractiveLogon_SmartCardRemovalBehavior
+
+
+
+
+
+
+
+ Interactive logon: Smart card removal behavior
+
+This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
+
+The options are:
+
+ No Action
+ Lock Workstation
+ Force Logoff
+ Disconnect if a Remote Desktop Services session
+
+If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+Default: This policy is not defined, which means that the system treats it as No action.
+
+On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsAlways
+
+
+
+
+
+
+
+ Microsoft network client: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB client component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+
+Default: Disabled.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
+
+
+
+
+
+
+
+ Microsoft network client: Digitally sign communications (if server agrees)
+
+This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+
+If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+
+
+
+
+
+
+ Microsoft network client: Send unencrypted password to connect to third-party SMB servers
+
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+
+Sending unencrypted passwords is a security risk.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+
+
+
+
+
+ Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+
+
+
+
+
+
+
+ Microsoft network server: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB server component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+
+If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+
+Default:
+
+Disabled for member servers.
+Enabled for domain controllers.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
+Microsoft network server: Digitally sign communications (if server agrees)
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
+HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+
+
+
+
+
+
+
+ Microsoft network server: Digitally sign communications (if client agrees)
+
+This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+
+If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled on domain controllers only.
+
+Important
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+
+
+
+
+
+
+
+ Network access: Do not allow anonymous enumeration of SAM accounts
+
+This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This security option allows additional restrictions to be placed on anonymous connections as follows:
+
+Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No additional restrictions. Rely on default permissions.
+
+Default on workstations: Enabled.
+Default on server:Enabled.
+
+Important
+
+This policy has no impact on domain controllers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+
+
+
+
+
+
+
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+
+
+
+
+
+
+
+ Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
@@ -29220,6 +31794,161 @@ This policy will be turned off by default on domain joined machines. This would
+
+ NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+
+
+
+
+
+
+
+ Network security: Do not store LAN Manager hash value on next password change
+
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+
+
+Default on Windows Vista and above: Enabled
+Default on Windows XP: Disabled.
+
+Important
+
+Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_LANManagerAuthenticationLevel
+
+
+
+
+
+
+
+ Network security LAN Manager authentication level
+
+This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+
+Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+
+Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+
+Important
+
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.
+
+Default:
+
+Windows 2000 and windows XP: send LM and NTLM responses
+
+Windows Server 2003: Send NTLM response only
+
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+
+
+
+
+
+
+
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
+Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
+
+
+
+
+
+
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@@ -29624,8 +32353,8 @@ The options are:
-
+
@@ -29670,8 +32399,8 @@ The options are:
-
+
@@ -29716,8 +32445,8 @@ The options are:
-
+
@@ -29786,8 +32515,8 @@ The options are:
-
+
@@ -29875,13 +32604,273 @@ The options are:
+
+ MSSecurityGuide
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureSMBV1ClientDriver
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureSMBV1Server
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableStructuredExceptionHandlingOverwriteProtection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ WDigestAuthentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ MSSLegacy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPSourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IPv6SourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
NetworkIsolation
-
+
@@ -30090,12 +33079,12 @@ The options are:
- Power
+ Notifications
-
+
@@ -30110,6 +33099,76 @@ The options are:
+
+ DisallowCloudNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ Power
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowStandbyStatesWhenSleepingOnBattery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
AllowStandbyWhenSleepingPluggedIn
@@ -30332,8 +33391,8 @@ The options are:
-
+
@@ -30402,8 +33461,8 @@ The options are:
-
+
@@ -30835,7 +33894,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30859,7 +33918,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30883,7 +33942,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -30931,7 +33990,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -30955,7 +34014,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -30979,7 +34038,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -31027,7 +34086,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31051,7 +34110,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -31075,7 +34134,103 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput
+
+
+
+
+
+
+
+ This policy setting specifies whether Windows apps can access the eye tracker.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_ForceAllowTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_ForceDenyTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LetAppsAccessGazeInput_UserInControlOfTheseApps
+
+
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -31123,7 +34278,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31147,7 +34302,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31171,7 +34326,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -31219,7 +34374,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31243,7 +34398,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31267,7 +34422,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -31315,7 +34470,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31339,7 +34494,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31363,7 +34518,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -31411,7 +34566,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31435,7 +34590,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31459,7 +34614,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -31507,7 +34662,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31531,7 +34686,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31555,7 +34710,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -31603,7 +34758,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31627,7 +34782,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31651,7 +34806,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -31699,7 +34854,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31723,7 +34878,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31747,7 +34902,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -31795,7 +34950,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31819,7 +34974,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31843,7 +34998,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -31891,7 +35046,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -31915,7 +35070,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -31939,7 +35094,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -32179,7 +35334,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32203,7 +35358,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32227,7 +35382,7 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -32266,14 +35421,38 @@ The options are:
+
+ UploadUserActivities
+
+
+
+
+
+
+
+ Allows ActivityFeed to upload published 'User Activities'.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
RemoteAssistance
-
+
@@ -32390,8 +35569,8 @@ The options are:
-
+
@@ -32556,8 +35735,8 @@ The options are:
-
+
@@ -32938,8 +36117,8 @@ The options are:
-
+
@@ -33008,8 +36187,8 @@ The options are:
-
+
@@ -33193,13 +36372,60 @@ The options are:
+
+ RestrictedGroups
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureGroupMembership
+
+
+
+
+
+
+
+ This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
Search
-
+
@@ -33238,6 +36464,30 @@ The options are:
+
+ AllowCortanaInAAD
+
+
+
+
+
+
+
+ This features allows you to show the cortana opt-in page during Windows Setup
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
AllowIndexingEncryptedStoresOrItems
@@ -33430,6 +36680,30 @@ The options are:
+
+ DoNotUseWebResults
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
PreventIndexingLowDiskSpaceMB
@@ -33508,8 +36782,8 @@ The options are:
-
+
@@ -33644,6 +36918,30 @@ The options are:
+
+ ConfigureWindowsPasswords
+
+
+
+
+
+
+
+ Configures the use of passwords for Windows features
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
@@ -33746,8 +37044,8 @@ The options are:
-
+
@@ -34080,8 +37378,8 @@ The options are:
-
+
@@ -34174,8 +37472,8 @@ The options are:
-
+
@@ -34220,8 +37518,8 @@ The options are:
-
+
@@ -34476,6 +37774,30 @@ The options are:
+
+ DisableContextMenus
+
+
+
+
+
+
+
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
ForceStartSize
@@ -34914,8 +38236,8 @@ The options are:
-
+
@@ -34984,8 +38306,8 @@ The options are:
-
+
@@ -35216,6 +38538,54 @@ The options are:
+
+ ConfigureTelemetryOptInChangeNotification
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureTelemetryOptInSettingsUx
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
DisableEnterpriseAuthProxy
@@ -35249,7 +38619,7 @@ The options are:
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
@@ -35321,7 +38691,7 @@ The options are:
- This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced) When you configure these policy settings, a Basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: https://go.microsoft.com/fwlink/?linkid=847594. Enabling Enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional Enhanced level telemetry data. This setting has no effect on computers configured to send Full, Basic or Security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy.
+ This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting.
@@ -35362,12 +38732,12 @@ The options are:
- TextInput
+ SystemServices
-
+
@@ -35382,6 +38752,242 @@ The options are:
+
+ ConfigureHomeGroupListenerServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureHomeGroupProviderServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxAccessoryManagementServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveAuthManagerServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveGameSaveServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ConfigureXboxLiveNetworkingServiceStartupMode
+
+
+
+
+
+
+
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TaskScheduler
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableXboxGameSaveTask
+
+
+
+
+
+
+
+ This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ TextInput
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowHardwareKeyboardTextSuggestions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
AllowIMELogging
@@ -35598,6 +39204,54 @@ The options are:
+
+ AllowLinguisticDataCollection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableTouchKeyboardAutoInvokeInDesktopMode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
ExcludeJapaneseIMEExceptJIS0208
@@ -35670,14 +39324,206 @@ The options are:
+
+ ForceTouchKeyboardDockedState
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardDictationButtonAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardEmojiButtonAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardFullModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardHandwritingModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardNarrowModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardSplitModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TouchKeyboardWideModeAvailability
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
TimeLanguageSettings
-
+
@@ -35722,8 +39568,8 @@ The options are:
-
+
@@ -36026,6 +39872,30 @@ The options are:
+
+ ConfigureFeatureUpdateUninstallPeriod
+
+
+
+
+
+
+
+ Enable enterprises/IT admin to configure feature update uninstall period
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
DeferFeatureUpdatesPeriodInDays
@@ -36867,13 +40737,735 @@ The options are:
+
+ UserRights
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessCredentialManagerAsTrustedCaller
+
+
+
+
+
+
+
+ This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AccessFromNetwork
+
+
+
+
+
+
+
+ This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ActAsPartOfTheOperatingSystem
+
+
+
+
+
+
+
+ This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AllowLocalLogOn
+
+
+
+
+
+
+
+ This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BackupFilesAndDirectories
+
+
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ChangeSystemTime
+
+
+
+
+
+
+
+ This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateGlobalObjects
+
+
+
+
+
+
+
+ This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreatePageFile
+
+
+
+
+
+
+
+ This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreatePermanentSharedObjects
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateSymbolicLinks
+
+
+
+
+
+
+
+ This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ CreateToken
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DebugPrograms
+
+
+
+
+
+
+
+ This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyAccessFromNetwork
+
+
+
+
+
+
+
+ This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyLocalLogOn
+
+
+
+
+
+
+
+ This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DenyRemoteDesktopServicesLogOn
+
+
+
+
+
+
+
+ This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ EnableDelegation
+
+
+
+
+
+
+
+ This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ GenerateSecurityAudits
+
+
+
+
+
+
+
+ This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ImpersonateClient
+
+
+
+
+
+
+
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+1) The access token that is being impersonated is for this user.
+2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
+3) The requested level is less than Impersonate, such as Anonymous or Identify.
+Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ IncreaseSchedulingPriority
+
+
+
+
+
+
+
+ This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LoadUnloadDeviceDrivers
+
+
+
+
+
+
+
+ This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LockMemory
+
+
+
+
+
+
+
+ This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ManageAuditingAndSecurityLog
+
+
+
+
+
+
+
+ This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ManageVolume
+
+
+
+
+
+
+
+ This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ModifyFirmwareEnvironment
+
+
+
+
+
+
+
+ This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ModifyObjectLabel
+
+
+
+
+
+
+
+ This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ProfileSingleProcess
+
+
+
+
+
+
+
+ This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RemoteShutdown
+
+
+
+
+
+
+
+ This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ RestoreFilesAndDirectories
+
+
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TakeOwnership
+
+
+
+
+
+
+
+ This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
Wifi
-
+
@@ -37033,13 +41625,59 @@ The options are:
+
+ WindowsConnectionManager
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
WindowsDefenderSecurityCenter
-
+
@@ -37078,6 +41716,30 @@ The options are:
+
+ DisableAccountProtectionUI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
DisableAppBrowserUI
@@ -37102,6 +41764,30 @@ The options are:
+
+ DisableDeviceSecurityUI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
DisableEnhancedNotifications
@@ -37342,6 +42028,78 @@ The options are:
+
+ HideRansomwareDataRecovery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HideSecureBoot
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ HideTPMTroubleshooting
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
Phone
@@ -37396,8 +42154,8 @@ The options are:
-
+
@@ -37466,8 +42224,8 @@ The options are:
-
+
@@ -37530,6 +42288,30 @@ The options are:
+
+ EnumerateLocalUsersOnDomainJoinedComputers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
HideFastUserSwitching
@@ -37554,14 +42336,84 @@ The options are:
+
+ SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
WirelessDisplay
-
+
@@ -37824,8 +42676,8 @@ The options are:
-
1
+
@@ -37849,8 +42701,8 @@ The options are:
-
1
+
@@ -37864,6 +42716,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaAboveLock
LowestValueMostSecure
@@ -37873,8 +42728,8 @@ The options are:
-
1
+
@@ -37917,8 +42772,8 @@ The options are:
-
1
+
@@ -37941,8 +42796,8 @@ The options are:
-
1
+
@@ -37965,8 +42820,8 @@ The options are:
-
1
+
@@ -37989,8 +42844,8 @@ The options are:
-
+
@@ -38032,8 +42887,8 @@ The options are:
-
+
@@ -38079,8 +42934,8 @@ The options are:
-
+
@@ -38094,9 +42949,40 @@ The options are:
text/plain
phone
+ WindowsExplorer.admx
+ DefaultAssociationsConfiguration_TextBox
+ WindowsExplorer~AT~WindowsComponents~WindowsExplorer
+ DefaultAssociationsConfiguration
LastWrite
+
+ EnableAppUriHandlers
+
+
+
+
+ 1
+ Enables web-to-app linking, which allows apps to be launched with a http(s) URI
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ GroupPolicy.admx
+ GroupPolicy~AT~System~PolicyPolicies
+ EnableAppUriHandlers
+ HighestValueMostSecure
+
+
ApplicationManagement
@@ -38123,8 +43009,8 @@ The options are:
-
65535
+
@@ -38138,6 +43024,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AppxDeploymentAllowAllTrustedApps
LowestValueMostSecure
@@ -38147,8 +43036,8 @@ The options are:
-
2
+
@@ -38161,6 +43050,10 @@ The options are:
text/plain
+
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ DisableAutoInstall
LowestValueMostSecure
@@ -38170,8 +43063,8 @@ The options are:
-
65535
+
@@ -38185,6 +43078,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AllowDevelopmentWithoutDevLicense
LowestValueMostSecure
@@ -38194,8 +43090,8 @@ The options are:
-
1
+
@@ -38210,6 +43106,9 @@ The options are:
phone
+ GameDVR.admx
+ GameDVR~AT~WindowsComponents~GAMEDVR
+ AllowGameDVR
LowestValueMostSecure
@@ -38219,8 +43118,8 @@ The options are:
-
0
+
@@ -38234,6 +43133,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ AllowSharedLocalAppData
LowestValueMostSecure
@@ -38243,8 +43145,8 @@ The options are:
-
1
+
@@ -38268,8 +43170,8 @@ The options are:
-
+
@@ -38292,8 +43194,8 @@ The options are:
-
0
+
@@ -38307,6 +43209,9 @@ The options are:
text/plain
+ WindowsStore.admx
+ WindowsStore~AT~WindowsComponents~WindowsStore
+ DisableStoreApps
LowestValueMostSecure
@@ -38316,8 +43221,8 @@ The options are:
-
0
+
@@ -38331,6 +43236,9 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ RestrictAppDataToSystemVolume
LowestValueMostSecure
@@ -38340,8 +43248,8 @@ The options are:
-
0
+
@@ -38355,10 +43263,60 @@ The options are:
text/plain
+ AppxPackageManager.admx
+ AppxPackageManager~AT~WindowsComponents~AppxDeployment
+ DisableDeploymentToNonSystemVolumes
LowestValueMostSecure
+
+ AppRuntime
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowMicrosoftAccountsToBeOptional
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ AppXRuntime.admx
+ AppXRuntime~AT~WindowsComponents~AppXRuntime
+ AppxRuntimeMicrosoftAccountsOptional
+ LastWrite
+
+
+
AppVirtualization
@@ -38384,8 +43342,8 @@ The options are:
-
+
@@ -38411,8 +43369,8 @@ The options are:
-
+
@@ -38438,8 +43396,8 @@ The options are:
-
+
@@ -38465,8 +43423,8 @@ The options are:
-
+
@@ -38492,8 +43450,8 @@ The options are:
-
+
@@ -38519,8 +43477,8 @@ The options are:
-
+
@@ -38546,8 +43504,8 @@ The options are:
-
+
@@ -38573,8 +43531,8 @@ The options are:
-
+
@@ -38600,8 +43558,8 @@ The options are:
-
+
@@ -38627,8 +43585,8 @@ The options are:
-
+
@@ -38654,8 +43612,8 @@ The options are:
-
+
@@ -38681,8 +43639,8 @@ The options are:
-
+
@@ -38708,8 +43666,8 @@ The options are:
-
+
@@ -38735,8 +43693,8 @@ The options are:
-
+
@@ -38762,8 +43720,8 @@ The options are:
-
+
@@ -38789,8 +43747,8 @@ The options are:
-
+
@@ -38816,8 +43774,8 @@ The options are:
-
+
@@ -38843,8 +43801,8 @@ The options are:
-
+
@@ -38870,8 +43828,8 @@ The options are:
-
+
@@ -38897,8 +43855,8 @@ The options are:
-
+
@@ -38924,8 +43882,8 @@ The options are:
-
+
@@ -38951,8 +43909,8 @@ The options are:
-
+
@@ -38978,8 +43936,8 @@ The options are:
-
+
@@ -39005,8 +43963,8 @@ The options are:
-
+
@@ -39032,8 +43990,8 @@ The options are:
-
+
@@ -39059,8 +44017,8 @@ The options are:
-
+
@@ -39086,8 +44044,8 @@ The options are:
-
+
@@ -39113,8 +44071,8 @@ The options are:
-
+
@@ -39160,8 +44118,8 @@ The options are:
- Specifies whether password reset is enabled for AAD accounts.
0
+ Specifies whether password reset is enabled for AAD accounts.
@@ -39185,8 +44143,8 @@ The options are:
-
1
+
@@ -39203,39 +44161,14 @@ The options are:
LowestValueMostSecure
-
- AllowFidoDeviceSignon
-
-
-
-
- Specifies whether FIDO device can be used to sign on.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
- phone
- LowestValueMostSecure
-
-
AllowSecondaryAuthenticationDevice
-
0
+
@@ -39249,6 +44182,9 @@ The options are:
text/plain
+ DeviceCredential.admx
+ DeviceCredential~AT~WindowsComponents~MSSecondaryAuthFactorCategory
+ MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice
LowestValueMostSecure
@@ -39278,8 +44214,8 @@ The options are:
-
+
@@ -39305,8 +44241,8 @@ The options are:
-
+
@@ -39332,8 +44268,8 @@ The options are:
-
+
@@ -39379,8 +44315,8 @@ The options are:
-
6
+
@@ -39423,8 +44359,8 @@ The options are:
-
1
+
@@ -39447,8 +44383,8 @@ The options are:
-
1
+
@@ -39471,8 +44407,32 @@ The options are:
-
1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LowestValueMostSecure
+
+
+
+ AllowPromptedProximalConnections
+
+
+
+
+ 1
+
@@ -39495,8 +44455,8 @@ The options are:
-
+
@@ -39518,8 +44478,8 @@ The options are:
-
+
@@ -39561,8 +44521,8 @@ The options are:
- This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
1
+ This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services.
@@ -39577,6 +44537,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAddressBarDropdown
LowestValueMostSecure
@@ -39586,8 +44549,8 @@ The options are:
- This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
0
+ This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge.
@@ -39601,6 +44564,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowAutofill
LowestValueMostSecure
@@ -39610,8 +44576,8 @@ The options are:
-
1
+
@@ -39630,13 +44596,13 @@ The options are:
- AllowCookies
+ AllowConfigurationUpdateForBooksLibrary
- This setting lets you configure how your company deals with cookies.
- 2
+ 1
+ This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library.
@@ -39649,6 +44615,35 @@ The options are:
text/plain
+
+ LowestValueMostSecure
+
+
+
+ AllowCookies
+
+
+
+
+ 2
+ This setting lets you configure how your company deals with cookies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ CookiesListBox
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ Cookies
LowestValueMostSecure
@@ -39658,8 +44653,8 @@ The options are:
- This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
1
+ This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge.
@@ -39674,6 +44669,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDeveloperTools
LowestValueMostSecure
@@ -39683,8 +44681,8 @@ The options are:
- This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
0
+ This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info.
@@ -39698,6 +44696,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowDoNotTrack
LowestValueMostSecure
@@ -39707,8 +44708,8 @@ The options are:
- This setting lets you decide whether employees can load extensions in Microsoft Edge.
1
+ This setting lets you decide whether employees can load extensions in Microsoft Edge.
@@ -39723,6 +44724,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowExtensions
LowestValueMostSecure
@@ -39732,8 +44736,8 @@ The options are:
- This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
1
+ This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.
@@ -39748,6 +44752,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlash
HighestValueMostSecure
@@ -39757,8 +44764,8 @@ The options are:
- Configure the Adobe Flash Click-to-Run setting.
1
+ Configure the Adobe Flash Click-to-Run setting.
@@ -39773,6 +44780,9 @@ The options are:
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowFlashClickToRun
HighestValueMostSecure
@@ -39782,8 +44792,8 @@ The options are:
- This setting lets you decide whether employees can browse using InPrivate website browsing.
1
+ This setting lets you decide whether employees can browse using InPrivate website browsing.
@@ -39797,6 +44807,9 @@ The options are:
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowInPrivate
LowestValueMostSecure
@@ -39806,12 +44819,12 @@ The options are:
+ 1
This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat.
If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly.
If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation.
- 1
@@ -39825,6 +44838,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowCVList
LowestValueMostSecure
@@ -39834,8 +44850,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether employees can save their passwords locally, using Password Manager.
1
+ This setting lets you decide whether employees can save their passwords locally, using Password Manager.
@@ -39849,6 +44865,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPasswordManager
LowestValueMostSecure
@@ -39858,8 +44877,8 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
- This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
0
+ This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows.
@@ -39874,6 +44893,9 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowPopups
LowestValueMostSecure
@@ -39883,13 +44905,13 @@ If you disable this setting, the Microsoft Compatibility List will not be used d
+ 1
Allow search engine customization for MDM enrolled devices. Users can change their default search engine.
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings.
If this setting is disabled, users will be unable to add search engines or change the default used in the address bar.
This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
- 1
@@ -39903,6 +44925,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchEngineCustomization
LowestValueMostSecure
@@ -39912,8 +44937,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
1
+ This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge.
@@ -39927,6 +44952,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSearchSuggestionsinAddressBar
LowestValueMostSecure
@@ -39936,8 +44964,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- This setting lets you decide whether to turn on Windows Defender SmartScreen.
1
+ This setting lets you decide whether to turn on Windows Defender SmartScreen.
@@ -39951,6 +44979,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowSmartScreen
LowestValueMostSecure
@@ -39960,8 +44991,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
0
+ Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device.
@@ -39975,6 +45006,9 @@ This policy will only apply on domain joined machines or when the device is MDM
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AlwaysEnableBooksLibrary
LowestValueMostSecure
@@ -39984,8 +45018,8 @@ This policy will only apply on domain joined machines or when the device is MDM
- Specifies whether to always clear browsing history on exiting Microsoft Edge.
0
+ Specifies whether to always clear browsing history on exiting Microsoft Edge.
@@ -40000,6 +45034,9 @@ This policy will only apply on domain joined machines or when the device is MDM
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ AllowClearingBrowsingDataOnExit
LowestValueMostSecure
@@ -40009,6 +45046,7 @@ This policy will only apply on domain joined machines or when the device is MDM
+
Allows you to add up to 5 additional search engines for MDM-enrolled devices.
If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default.
@@ -40016,7 +45054,6 @@ If this setting is turned on, you can add up to 5 additional search engines for
If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -40029,6 +45066,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ ConfigureAdditionalSearchEngines_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfigureAdditionalSearchEngines
LastWrite
@@ -40038,13 +45079,13 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0
Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect.
Note: This policy has no effect when Browser/HomePages is not configured.
Important
This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).
- 0
@@ -40059,6 +45100,36 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ DisableLockdownOfStartPages
+ LowestValueMostSecure
+
+
+
+ EnableExtendedBooksTelemetry
+
+
+
+
+ 0
+ This setting allows organizations to send extended telemetry on book usage from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnableExtendedBooksTelemetry
LowestValueMostSecure
@@ -40068,8 +45139,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
+ This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites.
@@ -40083,6 +45154,10 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
text/plain
phone
+ MicrosoftEdge.admx
+ EnterSiteListPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ EnterpriseModeSiteList
LastWrite
@@ -40092,8 +45167,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
-
+
@@ -40116,8 +45191,8 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
- Configure first run URL.
+ Configure first run URL.
@@ -40140,13 +45215,13 @@ This setting can only be used with domain-joined or MDM-enrolled devices. For mo
+
Configure the Start page URLs for your employees.
Example:
If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support.
Encapsulate each string with greater than and less than characters like any other XML tag.
Version 1703 or later: If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL.
-
@@ -40160,6 +45235,10 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
text/plain
phone
+ MicrosoftEdge.admx
+ HomePagesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HomePages
LastWrite
@@ -40169,6 +45248,7 @@ Version 1703 or later: If you don't want to send traffic to Microsoft, you ca
+ 0
This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
@@ -40177,7 +45257,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
- 0
@@ -40191,6 +45270,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ LockdownFavorites
LowestValueMostSecure
@@ -40200,8 +45282,8 @@ If you disable or don't configure this setting (default), employees can add, imp
- Prevent access to the about:flags page in Microsoft Edge.
0
+ Prevent access to the about:flags page in Microsoft Edge.
@@ -40215,6 +45297,9 @@ If you disable or don't configure this setting (default), employees can add, imp
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventAccessToAboutFlagsInMicrosoftEdge
HighestValueMostSecure
@@ -40224,10 +45309,10 @@ If you disable or don't configure this setting (default), employees can add, imp
+ 0
Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -40242,6 +45327,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventFirstRunPage
HighestValueMostSecure
@@ -40251,10 +45339,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 0
This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
- 0
@@ -40268,6 +45356,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventLiveTileDataCollection
HighestValueMostSecure
@@ -40277,8 +45368,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides
0
+ Don't allow Windows Defender SmartScreen warning overrides
@@ -40292,6 +45383,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverride
HighestValueMostSecure
@@ -40301,8 +45395,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Don't allow Windows Defender SmartScreen warning overrides for unverified files.
0
+ Don't allow Windows Defender SmartScreen warning overrides for unverified files.
@@ -40316,6 +45410,37 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventSmartScreenPromptOverrideForFiles
+ HighestValueMostSecure
+
+
+
+ PreventTabPreloading
+
+
+
+
+ 0
+ Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ PreventTabPreloading
HighestValueMostSecure
@@ -40325,8 +45450,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Prevent using localhost IP address for WebRTC
0
+ Prevent using localhost IP address for WebRTC
@@ -40340,6 +45465,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ HideLocalHostIPAddress
HighestValueMostSecure
@@ -40349,6 +45477,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites.
If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.
@@ -40357,7 +45486,6 @@ Important
Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
-
@@ -40370,6 +45498,10 @@ If you disable or don't configure this setting, employees will see the favorites
text/plain
+ MicrosoftEdge.admx
+ ConfiguredFavoritesPrompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ConfiguredFavorites
LastWrite
@@ -40379,8 +45511,8 @@ If you disable or don't configure this setting, employees will see the favorites
- Sends all intranet traffic over to Internet Explorer.
0
+ Sends all intranet traffic over to Internet Explorer.
@@ -40395,6 +45527,9 @@ If you disable or don't configure this setting, employees will see the favorites
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SendIntranetTraffictoInternetExplorer
HighestValueMostSecure
@@ -40404,6 +45539,7 @@ If you disable or don't configure this setting, employees will see the favorites
+
Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine.
If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING.
@@ -40411,7 +45547,6 @@ If this setting is turned on, you are setting the default search engine that you
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled.
-
@@ -40424,6 +45559,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ MicrosoftEdge.admx
+ SetDefaultSearchEngine_Prompt
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SetDefaultSearchEngine
LastWrite
@@ -40433,8 +45572,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Show message when opening sites in Internet Explorer
0
+ Show message when opening sites in Internet Explorer
@@ -40449,6 +45588,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ ShowMessageWhenOpeningSitesInInternetExplorer
HighestValueMostSecure
@@ -40458,8 +45600,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
0
+ Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
@@ -40474,6 +45616,36 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ SyncFavoritesBetweenIEAndMicrosoftEdge
+ LowestValueMostSecure
+
+
+
+ UseSharedFolderForBooks
+
+
+
+
+ 0
+ This setting specifies whether organizations should use a folder shared across users to store books from the Books Library.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ MicrosoftEdge.admx
+ MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge
+ UseSharedFolderForBooks
LowestValueMostSecure
@@ -40503,8 +45675,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -40518,6 +45690,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ Camera.admx
+ Camera~AT~WindowsComponents~L_Camera_GroupPolicyCategory
+ L_AllowCamera
LowestValueMostSecure
@@ -40547,8 +45722,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- This policy setting specifies whether Windows apps can access cellular data.
0
+ This policy setting specifies whether Windows apps can access cellular data.
@@ -40561,6 +45736,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ wwansvc.admx
+ LetAppsAccessCellularData_Enum
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularData
HighestValueMostSecure
@@ -40570,8 +45750,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40584,6 +45764,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_ForceAllowTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularData
LastWrite
;
@@ -40594,8 +45778,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40608,6 +45792,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_ForceDenyTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularData
LastWrite
;
@@ -40618,8 +45806,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps.
@@ -40632,6 +45820,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+ wwansvc.admx
+ LetAppsAccessCellularData_UserInControlOfTheseApps_List
+ wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess
+ LetAppsAccessCellularData
LastWrite
;
@@ -40642,8 +45834,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40688,8 +45880,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
2
+
@@ -40712,8 +45904,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -40726,6 +45918,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
LowestValueMostSecure
@@ -40735,8 +45928,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -40749,6 +45942,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ WCM.admx
+ WCM~AT~Network~WCM_Category
+ WCM_DisableRoaming
LowestValueMostSecure
@@ -40758,8 +45955,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -40782,8 +45979,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -40801,14 +45998,41 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
LowestValueMostSecure
+
+ AllowPhonePCLinking
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ grouppolicy.admx
+ grouppolicy~AT~System~PolicyPolicies
+ enableMMX
+ LowestValueMostSecure
+
+
AllowUSBConnection
-
1
+
@@ -40832,8 +46056,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -40856,8 +46080,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -40880,8 +46104,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40907,8 +46131,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40934,8 +46158,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -40961,8 +46185,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -40975,6 +46199,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ ICM.admx
+ ICM~AT~System~InternetManagement~InternetManagement_Settings
+ NoActiveProbe
HighestValueMostSecure
@@ -40984,8 +46212,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41011,8 +46239,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41033,6 +46261,50 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ ControlPolicyConflict
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MDMWinsOverGP
+
+
+
+
+ 0
+ If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LastWrite
+
+
+
CredentialProviders
@@ -41058,8 +46330,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41085,8 +46357,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41112,8 +46384,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41131,6 +46403,53 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+
+ CredentialsDelegation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RemoteHostAllowsDelegationOfNonExportableCredentials
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ CredSsp.admx
+ CredSsp~AT~System~CredentialsDelegation
+ AllowProtectedCreds
+ LastWrite
+
+
+
CredentialsUI
@@ -41156,8 +46475,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41183,8 +46502,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41230,8 +46549,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -41244,6 +46563,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
+ Windows Settings~Security Settings~Local Policies~Security Options
+ System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing
LastWrite
@@ -41253,8 +46575,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41296,8 +46618,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41320,8 +46642,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41363,8 +46685,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41389,8 +46711,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41435,8 +46757,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41449,7 +46771,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableArchiveScanning
HighestValueMostSecure
@@ -41459,8 +46785,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41473,7 +46799,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableBehaviorMonitoring
HighestValueMostSecure
@@ -41483,8 +46813,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41497,7 +46827,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ SpynetReporting
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet
+ SpynetReporting
HighestValueMostSecure
@@ -41507,8 +46842,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -41521,7 +46856,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableEmailScanning
HighestValueMostSecure
@@ -41531,8 +46870,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -41545,7 +46884,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableScanningMappedNetworkDrivesForFullScan
HighestValueMostSecure
@@ -41555,8 +46898,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41569,7 +46912,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableRemovableDriveScanning
HighestValueMostSecure
@@ -41579,8 +46926,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41593,6 +46940,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
HighestValueMostSecure
@@ -41603,8 +46951,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41617,7 +46965,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableIOAVProtection
HighestValueMostSecure
@@ -41627,8 +46979,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41641,7 +46993,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_DisableOnAccessProtection
HighestValueMostSecure
@@ -41651,8 +47007,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41665,7 +47021,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ DisableRealtimeMonitoring
HighestValueMostSecure
@@ -41675,8 +47035,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -41689,7 +47049,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_DisableScanningNetworkFiles
HighestValueMostSecure
@@ -41699,8 +47063,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41713,6 +47077,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
HighestValueMostSecure
@@ -41723,8 +47088,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -41737,7 +47102,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ClientInterface
+ UX_Configuration_UILockdown
LastWrite
@@ -41747,8 +47116,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41762,6 +47131,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
phone
+ WindowsDefender.admx
+ ExploitGuard_ASR_ASROnlyExclusions
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR
+ ExploitGuard_ASR_ASROnlyExclusions
LastWrite
@@ -41771,8 +47144,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41786,6 +47159,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
phone
+ WindowsDefender.admx
+ ExploitGuard_ASR_Rules
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR
+ ExploitGuard_ASR_Rules
LastWrite
@@ -41795,8 +47172,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
50
+
@@ -41809,7 +47186,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ Scan_AvgCPULoadFactor
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_AvgCPULoadFactor
LastWrite
@@ -41819,8 +47201,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -41833,7 +47215,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ MpCloudBlockLevel
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine
+ MpEngine_MpCloudBlockLevel
LastWrite
@@ -41843,8 +47230,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -41857,7 +47244,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ MpBafsExtendedTimeout
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine
+ MpEngine_MpBafsExtendedTimeout
LastWrite
@@ -41867,8 +47259,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41882,6 +47274,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
phone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_AllowedApplications
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_AllowedApplications
LastWrite
@@ -41891,8 +47287,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -41906,6 +47302,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
phone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_ProtectedFolders
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_ProtectedFolders
LastWrite
@@ -41915,8 +47315,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -41929,7 +47329,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ Quarantine_PurgeItemsAfterDelay
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Quarantine
+ Quarantine_PurgeItemsAfterDelay
LastWrite
@@ -41939,8 +47344,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -41953,7 +47358,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess
+ ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
LastWrite
@@ -41963,8 +47373,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -41977,7 +47387,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ ExploitGuard_EnableNetworkProtection
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_NetworkProtection
+ ExploitGuard_EnableNetworkProtection
LastWrite
@@ -41987,8 +47402,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42002,6 +47417,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
phone
+ WindowsDefender.admx
+ Exclusions_PathsList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_Paths
LastWrite
@@ -42011,8 +47430,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42026,6 +47445,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
phone
+ WindowsDefender.admx
+ Exclusions_ExtensionsList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_Extensions
LastWrite
@@ -42035,8 +47458,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42050,6 +47473,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
phone
+ WindowsDefender.admx
+ Exclusions_ProcessesList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions
+ Exclusions_Processes
LastWrite
@@ -42059,8 +47486,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -42073,6 +47500,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
LastWrite
@@ -42083,8 +47511,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -42097,7 +47525,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ RealtimeProtection_RealtimeScanDirection
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection
+ RealtimeProtection_RealtimeScanDirection
LowestValueMostSecure
@@ -42107,8 +47540,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -42121,7 +47554,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ Scan_ScanParameters
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScanParameters
LastWrite
@@ -42131,8 +47569,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
120
+
@@ -42145,7 +47583,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ Scan_ScheduleQuickScantime
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleQuickScantime
LastWrite
@@ -42155,8 +47598,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -42169,7 +47612,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ Scan_ScheduleDay
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleDay
LastWrite
@@ -42179,8 +47627,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
120
+
@@ -42193,7 +47641,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ Scan_ScheduleTime
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan
+ Scan_ScheduleTime
LastWrite
@@ -42203,8 +47656,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
8
+
@@ -42217,7 +47670,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ SignatureUpdate_SignatureUpdateInterval
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate
+ SignatureUpdate_SignatureUpdateInterval
LastWrite
@@ -42227,8 +47685,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -42241,7 +47699,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
+ WindowsDefender.admx
+ SubmitSamplesConsent
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet
+ SubmitSamplesConsent
HighestValueMostSecure
@@ -42251,8 +47714,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42266,6 +47729,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
phone
+ WindowsDefender.admx
+ Threats_ThreatSeverityDefaultActionList
+ WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Threats
+ Threats_ThreatSeverityDefaultAction
LastWrite
@@ -42295,8 +47762,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
10
+
@@ -42309,7 +47776,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ AbsoluteMaxCacheSize
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ AbsoluteMaxCacheSize
LastWrite
@@ -42319,8 +47790,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -42334,20 +47805,23 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ AllowVPNPeerCaching
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ AllowVPNPeerCaching
LowestValueMostSecure
- DOCacheHost
+ DODelayBackgroundDownloadFromHttp
+ 0
-
-
+
@@ -42358,7 +47832,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ DelayBackgroundDownloadFromHttp
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DelayBackgroundDownloadFromHttp
+ LastWrite
+
+
+
+ DODelayForegroundDownloadFromHttp
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ DelayForegroundDownloadFromHttp
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DelayForegroundDownloadFromHttp
LastWrite
@@ -42368,8 +47874,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
1
+
@@ -42383,7 +47889,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ DownloadMode
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ DownloadMode
LastWrite
@@ -42393,8 +47902,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42407,7 +47916,38 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ GroupId
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ GroupId
+ LastWrite
+
+
+
+ DOGroupIdSource
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ GroupIdSource
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ GroupIdSource
LastWrite
@@ -42417,8 +47957,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
259200
+
@@ -42431,7 +47971,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxCacheAge
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxCacheAge
LastWrite
@@ -42441,8 +47985,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
20
+
@@ -42455,7 +47999,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxCacheSize
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxCacheSize
LastWrite
@@ -42465,8 +48013,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -42479,7 +48027,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxDownloadBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxDownloadBandwidth
LastWrite
@@ -42489,8 +48041,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -42503,7 +48055,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MaxUploadBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MaxUploadBandwidth
LastWrite
@@ -42513,8 +48069,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
500
+
@@ -42527,7 +48083,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinBackgroundQos
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinBackgroundQos
LastWrite
@@ -42537,8 +48097,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -42551,7 +48111,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinBatteryPercentageAllowedToUpload
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinBatteryPercentageAllowedToUpload
LastWrite
@@ -42561,8 +48125,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
32
+
@@ -42575,7 +48139,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinDiskSizeAllowedToPeer
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinDiskSizeAllowedToPeer
LastWrite
@@ -42585,8 +48153,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
100
+
@@ -42599,7 +48167,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinFileSizeToCache
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinFileSizeToCache
LastWrite
@@ -42609,8 +48181,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
4
+
@@ -42623,7 +48195,11 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MinRAMAllowedToPeer
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MinRAMAllowedToPeer
LastWrite
@@ -42633,8 +48209,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
%SystemDrive%
+
@@ -42647,7 +48223,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+ DeliveryOptimization.admx
+ ModifyCacheDrive
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ ModifyCacheDrive
LastWrite
@@ -42657,8 +48236,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
20
+
@@ -42671,7 +48250,39 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
- phone
+
+ DeliveryOptimization.admx
+ MonthlyUploadDataCap
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ MonthlyUploadDataCap
+ LastWrite
+
+
+
+ DOPercentageMaxBackgroundBandwidth
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ PercentageMaxBackgroundBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ PercentageMaxBackgroundBandwidth
LastWrite
@@ -42681,8 +48292,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -42695,10 +48306,191 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
phone
LastWrite
+
+ DOPercentageMaxForegroundBandwidth
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ PercentageMaxForegroundBandwidth
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ PercentageMaxForegroundBandwidth
+ LastWrite
+
+
+
+ DORestrictPeerSelectionBy
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DeliveryOptimization.admx
+ RestrictPeerSelectionBy
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ RestrictPeerSelectionBy
+ LastWrite
+
+
+
+ DOSetHoursToLimitBackgroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ DeliveryOptimization.admx
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ SetHoursToLimitBackgroundDownloadBandwidth
+ LastWrite
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
+
+ DOSetHoursToLimitForegroundDownloadBandwidth
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ DeliveryOptimization.admx
+ DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat
+ SetHoursToLimitForegroundDownloadBandwidth
+ LastWrite
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ]]>
+
+
DeviceGuard
@@ -42725,8 +48517,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Turns On Virtualization Based Security(VBS)
0
+ Turns On Virtualization Based Security(VBS)
@@ -42741,6 +48533,9 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurity
HighestValueMostSecure
@@ -42750,8 +48545,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
0
+ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
@@ -42766,6 +48561,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ CredentialIsolationDrop
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurity
LowestValueMostSecureZeroHasNoLimits
@@ -42775,8 +48574,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
1
+ Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
@@ -42791,6 +48590,10 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
phone
+ DeviceGuard.admx
+ RequirePlatformSecurityFeaturesDrop
+ DeviceGuard~AT~System~DeviceGuardCategory
+ VirtualizationBasedSecurity
HighestValueMostSecure
@@ -42820,8 +48623,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42847,8 +48650,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -42894,8 +48697,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether the user must input a PIN or password when the device resumes from an idle state.
1
+ Specifies whether the user must input a PIN or password when the device resumes from an idle state.
@@ -42919,8 +48722,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
0
+ Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
@@ -42933,6 +48736,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
LastWrite
@@ -42942,8 +48746,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.
1
+ Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords.
@@ -42956,6 +48760,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
LowestValueMostSecure
@@ -42965,8 +48770,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0
2
+ Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0
@@ -42979,6 +48784,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
LowestValueMostSecure
@@ -42988,8 +48794,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies whether device lock is enabled.
1
+ Specifies whether device lock is enabled.
@@ -43002,6 +48808,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
LowestValueMostSecure
@@ -43011,8 +48818,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies when the password expires (in days).
0
+ Specifies when the password expires (in days).
@@ -43025,6 +48832,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
LowestValueMostSecureZeroHasNoLimits
@@ -43034,8 +48842,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies how many passwords can be stored in the history that can’t be used.
0
+ Specifies how many passwords can be stored in the history that can’t be used.
@@ -43048,6 +48856,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
HighestValueMostSecure
@@ -43057,8 +48866,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -43081,8 +48890,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
+
@@ -43104,8 +48913,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
-
0
+
@@ -43118,6 +48927,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
LowestValueMostSecureZeroHasNoLimits
@@ -43127,8 +48937,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
0
+ The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
@@ -43141,6 +48951,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
LowestValueMostSecureZeroHasNoLimits
@@ -43150,8 +48961,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Sets the maximum timeout value for the external display.
0
+ Sets the maximum timeout value for the external display.
@@ -43164,6 +48975,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
desktop
LowestValueMostSecure
@@ -43174,8 +48986,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
1
+ The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
@@ -43188,6 +49000,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
HighestValueMostSecure
@@ -43197,8 +49010,8 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
- Specifies the minimum number or characters required in the PIN or password.
4
+ Specifies the minimum number or characters required in the PIN or password.
@@ -43211,6 +49024,7 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
text/plain
+
HighestValueMostSecureZeroHasNoLimits
@@ -43220,12 +49034,12 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on
+ 1
This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
- 1
@@ -43238,8 +49052,38 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+
+ phone
+ Windows Settings~Security Settings~Account Policies~Password Policy
+ Minimum password age
+ HighestValueMostSecure
+
+
+
+ PreventEnablingLockScreenCamera
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
phone
- HighestValueMostSecure
+ ControlPanelDisplay.admx
+ ControlPanelDisplay~AT~ControlPanel~Personalization
+ CPL_Personalization_NoLockScreenCamera
+ LastWrite
@@ -43248,8 +49092,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43275,8 +49119,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
10
+ Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
@@ -43289,6 +49133,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+
LastWrite
@@ -43313,13 +49158,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- TurnOffGdiDPIScalingForApps
+ DisablePerProcessDpiForApps
- This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+ This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
@@ -43333,6 +49178,95 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
phone
+ Display.admx
+ DisplayDisablePerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LastWrite
+
+
+
+ EnablePerProcessDpi
+
+
+
+
+
+ Enable or disable Per-Process System DPI for all applications.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Display.admx
+ DisplayGlobalPerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LowestValueMostSecure
+
+
+
+ EnablePerProcessDpiForApps
+
+
+
+
+
+ This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Display.admx
+ DisplayEnablePerProcessSystemDpiSettings
+ Display~AT~System~DisplayCat
+ DisplayPerProcessSystemDpiSettings
+ LastWrite
+
+
+
+ TurnOffGdiDPIScalingForApps
+
+
+
+
+
+ This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Display.admx
+ DisplayTurnOffGdiDPIScalingPrompt
+ Display~AT~System~DisplayCat
+ DisplayTurnOffGdiDPIScaling
LastWrite
@@ -43342,8 +49276,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
+ This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension.
@@ -43357,6 +49291,10 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
phone
+ Display.admx
+ DisplayTurnOnGdiDPIScalingPrompt
+ Display~AT~System~DisplayCat
+ DisplayTurnOnGdiDPIScaling
LastWrite
@@ -43386,8 +49324,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43413,8 +49351,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43440,8 +49378,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43467,8 +49405,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43494,8 +49432,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43541,8 +49479,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43568,8 +49506,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43595,8 +49533,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43622,8 +49560,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -43669,8 +49607,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43694,8 +49632,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43709,6 +49647,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortana
LowestValueMostSecure
@@ -43718,8 +49659,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43742,8 +49683,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43757,6 +49698,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ FindMy.admx
+ FindMy~AT~WindowsComponents~FindMyDeviceCat
+ FindMy_AllowFindMyDeviceConfig
LowestValueMostSecure
@@ -43766,8 +49710,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43790,8 +49734,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43814,8 +49758,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43838,8 +49782,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43862,8 +49806,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43886,8 +49830,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43910,8 +49854,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43935,8 +49879,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -43955,13 +49899,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- AllowWindowsTips
+ AllowWindowsConsumerFeatures
+ 0
- 1
@@ -43976,17 +49920,20 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableWindowsConsumerFeatures
LowestValueMostSecure
- DoNotShowFeedbackNotifications
+ AllowWindowsTips
+ 1
- 0
@@ -43999,6 +49946,38 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+
+ phone
+ CloudContent.admx
+ CloudContent~AT~WindowsComponents~CloudContent
+ DisableSoftLanding
+ LowestValueMostSecure
+
+
+
+ DoNotShowFeedbackNotifications
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ FeedbackNotifications.admx
+ FeedbackNotifications~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ DoNotShowFeedbackNotifications
HighestValueMostSecure
@@ -44028,8 +50007,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44042,6 +50021,84 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
text/plain
+ ExploitGuard.admx
+ ExploitProtection_Name
+ ExploitGuard~AT~WindowsComponents~WindowsDefenderExploitGuard~ExploitProtection
+ ExploitProtection_Name
+ LastWrite
+
+
+
+
+ FileExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOffDataExecutionPreventionForExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Explorer.admx
+ Explorer~AT~WindowsExplorer
+ NoDataExecutionPrevention
+ LastWrite
+
+
+
+ TurnOffHeapTerminationOnCorruption
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Explorer.admx
+ Explorer~AT~WindowsExplorer
+ NoHeapTerminationOnCorruption
LastWrite
@@ -44071,8 +50128,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.
1
+ Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.
@@ -44115,8 +50172,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen
0
+ Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen
@@ -44131,6 +50188,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ Handwriting.admx
+ Handwriting~AT~WindowsComponents~Handwriting
+ PanelDefaultModeDocked
LowestValueMostSecure
@@ -44160,8 +50220,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44187,8 +50247,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44214,8 +50274,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44241,8 +50301,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44268,8 +50328,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44295,8 +50355,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44322,8 +50382,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44349,8 +50409,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44376,8 +50436,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44403,8 +50463,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44430,8 +50490,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44457,8 +50517,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44484,8 +50544,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44511,8 +50571,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44538,8 +50598,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44565,8 +50625,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44592,8 +50652,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44619,8 +50679,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44646,8 +50706,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44673,8 +50733,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44700,8 +50760,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44727,8 +50787,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44754,8 +50814,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44781,8 +50841,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44808,8 +50868,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44835,8 +50895,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44862,8 +50922,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44889,8 +50949,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44905,8 +50965,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
inetres.admx
- inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryBinaryBehaviorSecurityRestriction
- IESF_PolicyExplorerProcesses_2
+ inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling
+ IESF_PolicyExplorerProcesses_5
LastWrite
@@ -44916,8 +50976,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44943,8 +51003,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44970,8 +51030,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -44997,8 +51057,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45024,8 +51084,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45051,8 +51111,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45078,8 +51138,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45105,8 +51165,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45132,8 +51192,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45159,8 +51219,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45186,8 +51246,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45213,8 +51273,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45240,8 +51300,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45267,8 +51327,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45294,8 +51354,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45321,8 +51381,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45348,8 +51408,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45375,8 +51435,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45402,8 +51462,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45429,8 +51489,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45456,8 +51516,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45483,8 +51543,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45510,8 +51570,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45537,8 +51597,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45564,8 +51624,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45591,8 +51651,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45618,8 +51678,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45645,8 +51705,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45672,8 +51732,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45699,8 +51759,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45726,8 +51786,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45753,8 +51813,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45780,8 +51840,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45807,8 +51867,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45834,8 +51894,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45861,8 +51921,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45888,8 +51948,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45915,8 +51975,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45942,8 +52002,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45969,8 +52029,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -45996,8 +52056,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46023,8 +52083,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46050,8 +52110,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46071,14 +52131,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ InternetZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone
+ IZ_PolicyAllowVBScript_1
+ LastWrite
+
+
InternetZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -46104,8 +52191,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46131,8 +52218,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46158,8 +52245,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46185,8 +52272,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46212,8 +52299,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46239,8 +52326,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46266,8 +52353,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46293,8 +52380,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46320,8 +52407,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46347,8 +52434,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46374,8 +52461,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46401,8 +52488,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46428,8 +52515,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46455,8 +52542,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46482,8 +52569,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46509,8 +52596,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46536,8 +52623,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46563,8 +52650,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46590,8 +52677,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46617,8 +52704,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46644,8 +52731,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46671,8 +52758,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46698,8 +52785,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46725,8 +52812,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46752,8 +52839,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46779,8 +52866,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46806,8 +52893,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46833,8 +52920,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46860,8 +52947,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46887,8 +52974,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46914,8 +53001,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46941,8 +53028,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46968,8 +53055,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -46995,8 +53082,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47022,8 +53109,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47049,8 +53136,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47076,8 +53163,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47103,8 +53190,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47130,8 +53217,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47157,8 +53244,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47184,8 +53271,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47211,8 +53298,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47238,8 +53325,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47265,8 +53352,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47292,8 +53379,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47319,8 +53406,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47346,8 +53433,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47373,8 +53460,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47400,8 +53487,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47427,8 +53514,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47454,8 +53541,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47481,8 +53568,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47508,8 +53595,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47535,8 +53622,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47556,14 +53643,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ LockedDownIntranetJavaPermissions
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown
+ IZ_PolicyJavaPermissions_4
+ LastWrite
+
+
LockedDownIntranetZoneAllowAccessToDataSources
-
+
@@ -47589,8 +53703,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47616,8 +53730,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47643,8 +53757,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47670,8 +53784,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47697,8 +53811,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47724,8 +53838,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47751,8 +53865,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47778,8 +53892,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47805,8 +53919,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47832,8 +53946,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47859,8 +53973,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47886,8 +54000,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47913,8 +54027,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47940,8 +54054,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47967,8 +54081,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -47994,8 +54108,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48021,8 +54135,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48048,8 +54162,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48075,8 +54189,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48102,8 +54216,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48129,8 +54243,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48156,8 +54270,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48183,8 +54297,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48210,8 +54324,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48237,8 +54351,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48264,8 +54378,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48291,8 +54405,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48318,8 +54432,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48345,8 +54459,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48372,8 +54486,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48399,8 +54513,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48426,8 +54540,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48453,8 +54567,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48480,8 +54594,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48507,8 +54621,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48534,8 +54648,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48561,8 +54675,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48588,8 +54702,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48615,8 +54729,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48642,8 +54756,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48669,8 +54783,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48696,8 +54810,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48723,8 +54837,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48750,8 +54864,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48777,8 +54891,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48804,8 +54918,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48831,8 +54945,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48858,8 +54972,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48885,8 +54999,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48912,8 +55026,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48939,8 +55053,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48966,8 +55080,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -48993,8 +55107,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49020,8 +55134,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49047,8 +55161,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49074,8 +55188,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49101,8 +55215,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49128,8 +55242,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49155,8 +55269,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49182,8 +55296,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49209,8 +55323,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49236,8 +55350,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49263,8 +55377,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49290,8 +55404,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49317,8 +55431,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49344,8 +55458,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49371,8 +55485,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49398,8 +55512,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49425,8 +55539,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49452,8 +55566,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49479,8 +55593,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49506,8 +55620,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49533,8 +55647,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49560,8 +55674,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49587,8 +55701,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49608,14 +55722,41 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
LastWrite
+
+ RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ inetres.admx
+ inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone
+ IZ_PolicyAllowVBScript_7
+ LastWrite
+
+
RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
-
+
@@ -49641,8 +55782,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49668,8 +55809,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49695,8 +55836,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49722,8 +55863,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49749,8 +55890,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49776,8 +55917,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49803,8 +55944,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49830,8 +55971,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49857,8 +55998,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49884,8 +56025,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49911,8 +56052,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49938,8 +56079,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49965,8 +56106,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -49992,8 +56133,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50019,8 +56160,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50046,8 +56187,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50073,8 +56214,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50100,8 +56241,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50127,8 +56268,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50154,8 +56295,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50181,8 +56322,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50208,8 +56349,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50230,13 +56371,13 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- SecurityZonesUseOnlyMachineSettings
+ SecurityZonesUseOnlyMachineSettings
-
+
@@ -50262,8 +56403,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50289,8 +56430,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50316,8 +56457,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50343,8 +56484,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50370,8 +56511,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50397,8 +56538,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50424,8 +56565,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50451,8 +56592,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50478,8 +56619,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50505,8 +56646,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50532,8 +56673,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50559,8 +56700,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50586,8 +56727,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50613,8 +56754,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50660,8 +56801,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50687,8 +56828,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50714,8 +56855,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50741,8 +56882,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50768,8 +56909,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
+
@@ -50790,6 +56931,173 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+
+ KioskBrowser
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ BlockedUrlExceptions
+
+
+
+
+
+ List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ BlockedUrls
+
+
+
+
+
+ List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ DefaultURL
+
+
+
+
+
+ Configures the default URL kiosk browsers to navigate on launch and restart.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
+ EnableHomeButton
+
+
+
+
+ 0
+ Enable/disable kiosk browser's home button.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ EnableNavigationButtons
+
+
+
+
+ 0
+ Enable/disable kiosk browser's navigation buttons (forward/back).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
+ RestartOnIdleTime
+
+
+
+
+ 0
+ Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ LastWrite
+
+
+
Licensing
@@ -50815,8 +57123,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
1
+
@@ -50831,6 +57139,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ AVSValidationGP.admx
+ AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform
+ AllowWindowsEntitlementReactivation
LowestValueMostSecure
@@ -50840,8 +57151,8 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
-
0
+
@@ -50856,6 +57167,9 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
phone
+ AVSValidationGP.admx
+ AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform
+ NoAcquireGT
LowestValueMostSecure
@@ -50885,6 +57199,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
+ 0
This policy setting prevents users from adding new Microsoft accounts on this computer.
If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
@@ -50892,7 +57207,6 @@ If you select the "Users can’t add Microsoft accounts" option, users will not
If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
- 0
@@ -50907,6 +57221,8 @@ If you disable or do not configure this policy (recommended), users will be able
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Block Microsoft accounts
LastWrite
@@ -50916,6 +57232,7 @@ If you disable or do not configure this policy (recommended), users will be able
+ 0
This security setting determines whether the local Administrator account is enabled or disabled.
Notes
@@ -50926,7 +57243,6 @@ Disabling the Administrator account can become a maintenance issue under certain
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
Default: Disabled.
- 0
@@ -50939,7 +57255,10 @@ Default: Disabled.
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Administrator account status
LastWrite
@@ -50949,12 +57268,12 @@ Default: Disabled.
+ 0
This security setting determines if the Guest account is enabled or disabled.
Default: Disabled.
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
- 0
@@ -50967,7 +57286,10 @@ Note: If the Guest account is disabled and the security option Network Access: S
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Guest account status
LastWrite
@@ -50977,6 +57299,7 @@ Note: If the Guest account is disabled and the security option Network Access: S
+ 1
Accounts: Limit local account use of blank passwords to console logon only
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
@@ -50993,7 +57316,6 @@ Notes
This setting does not affect logons that use domain accounts.
It is possible for applications that use remote interactive logons to bypass this setting.
- 1
@@ -51006,7 +57328,10 @@ It is possible for applications that use remote interactive logons to bypass thi
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Limit local account use of blank passwords to console logon only
LastWrite
@@ -51016,12 +57341,12 @@ It is possible for applications that use remote interactive logons to bypass thi
+ Administrator
Accounts: Rename administrator account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
Default: Administrator.
- Administrator
@@ -51035,6 +57360,8 @@ Default: Administrator.
text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Rename administrator account
LastWrite
@@ -51044,12 +57371,12 @@ Default: Administrator.
+ Guest
Accounts: Rename guest account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.
Default: Guest.
- Guest
@@ -51063,6 +57390,8 @@ Default: Guest.
text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Accounts: Rename guest account
LastWrite
@@ -51072,6 +57401,7 @@ Default: Guest.
+ 0
Devices: Allowed to format and eject removable media
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:
@@ -51080,7 +57410,6 @@ Administrators
Administrators and Interactive Users
Default: This policy is not defined and only Administrators have this ability.
- 0
@@ -51094,6 +57423,8 @@ Default: This policy is not defined and only Administrators have this ability.text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Allowed to format and eject removable media
LastWrite
@@ -51103,13 +57434,13 @@ Default: This policy is not defined and only Administrators have this ability.
+ 1
Devices: Allow undock without having to log on
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.
Default: Enabled.
Caution
Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.
- 1
@@ -51122,7 +57453,10 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Allow undock without having to log on
LastWrite
@@ -51132,6 +57466,7 @@ Disabling this policy may tempt users to try and physically remove the laptop fr
+ 0
Devices: Prevent users from installing printer drivers when connecting to shared printers
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.
@@ -51143,7 +57478,6 @@ Notes
This setting does not affect the ability to add a local printer.
This setting does not affect Administrators.
- 0
@@ -51156,7 +57490,10 @@ This setting does not affect Administrators.
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Prevent users from installing printer drivers
LastWrite
@@ -51166,6 +57503,7 @@ This setting does not affect Administrators.
+ 0
Devices: Restrict CD-ROM access to locally logged-on user only
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.
@@ -51173,7 +57511,6 @@ This security setting determines whether a CD-ROM is accessible to both local an
If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.
Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
- 0
@@ -51187,6 +57524,245 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Devices: Restrict CD-ROM access to locally logged-on user only
+ LastWrite
+
+
+
+ DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
+
+
+
+
+ 1
+ Domain member: Digitally encrypt or sign secure channel data (always)
+
+This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
+
+Domain member: Digitally encrypt secure channel data (when possible)
+Domain member: Digitally sign secure channel data (when possible)
+
+Default: Enabled.
+
+Notes:
+
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
+Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally encrypt or sign secure channel data (always)
+ LastWrite
+
+
+
+ DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
+
+
+
+
+ 1
+ Domain member: Digitally encrypt secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
+
+Default: Enabled.
+
+Important
+
+There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
+
+Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally encrypt secure channel data (when possible)
+ LastWrite
+
+
+
+ DomainMember_DigitallySignSecureChannelDataWhenPossible
+
+
+
+
+ 1
+ Domain member: Digitally sign secure channel data (when possible)
+
+This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
+
+This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
+
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Digitally sign secure channel data (when possible)
+ LastWrite
+
+
+
+ DomainMember_DisableMachineAccountPasswordChanges
+
+
+
+
+ 0
+ Domain member: Disable machine account password changes
+
+Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
+
+Default: Disabled.
+
+Notes
+
+This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
+This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Disable machine account password changes
+ LastWrite
+
+
+
+ DomainMember_MaximumMachineAccountPasswordAge
+
+
+
+
+ 30
+ Domain member: Maximum machine account password age
+
+This security setting determines how often a domain member will attempt to change its computer account password.
+
+Default: 30 days.
+
+Important
+
+This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Maximum machine account password age
+ LowestValueMostSecure
+
+
+
+ DomainMember_RequireStrongSessionKey
+
+
+
+
+ 1
+ Domain member: Require strong (Windows 2000 or later) session key
+
+This security setting determines whether 128-bit key strength is required for encrypted secure channel data.
+
+When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.
+
+Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:
+
+Domain member: Digitally encrypt or sign secure channel data (always)
+Domain member: Digitally encrypt secure channel data (when possible)
+Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.
+
+If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.
+
+Default: Enabled.
+
+Important
+
+In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
+In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Domain member: Require strong (Windows 2000 or later) session key
LastWrite
@@ -51196,11 +57772,11 @@ Default: This policy is not defined and CD-ROM access is not restricted to the l
+ 1
Interactive Logon:Display user information when the session is locked
User display name, domain and user names (1)
User display name only (2)
Do not display user information (3)
- 1
@@ -51213,7 +57789,10 @@ Do not display user information (3)
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Display user information when the session is locked
LastWrite
@@ -51223,6 +57802,7 @@ Do not display user information (3)
+ 0
Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
If this policy is enabled, the username will not be shown.
@@ -51230,7 +57810,6 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
- 0
@@ -51243,7 +57822,10 @@ Default: Disabled.
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Don't display last signed-in
LastWrite
@@ -51253,6 +57835,7 @@ Default: Disabled.
+ 1
Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
If this policy is enabled, the username will not be shown.
@@ -51260,7 +57843,6 @@ If this policy is enabled, the username will not be shown.
If this policy is disabled, the username will be shown.
Default: Disabled.
- 1
@@ -51273,7 +57855,10 @@ Default: Disabled.
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Don't display username at sign-in
LastWrite
@@ -51283,6 +57868,7 @@ Default: Disabled.
+ 1
Interactive logon: Do not require CTRL+ALT+DEL
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.
@@ -51293,7 +57879,6 @@ If this policy is disabled, any user is required to press CTRL+ALT+DEL before lo
Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
Default on stand-alone computers: Enabled.
- 1
@@ -51306,7 +57891,10 @@ Default on stand-alone computers: Enabled.
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Do not require CTRL+ALT+DEL
LastWrite
@@ -51316,12 +57904,12 @@ Default on stand-alone computers: Enabled.
+ 0
Interactive logon: Machine inactivity limit.
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
Default: not enforced.
- 0
@@ -51334,7 +57922,10 @@ Default: not enforced.
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Machine inactivity limit
LastWrite
@@ -51344,6 +57935,7 @@ Default: not enforced.
+
Interactive logon: Message text for users attempting to log on
This security setting specifies a text message that is displayed to users when they log on.
@@ -51351,7 +57943,6 @@ This security setting specifies a text message that is displayed to users when t
This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
Default: No message.
-
@@ -51365,6 +57956,8 @@ Default: No message.
text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Message text for users attempting to log on
LastWrite
0xF000
@@ -51375,12 +57968,12 @@ Default: No message.
+
Interactive logon: Message title for users attempting to log on
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.
Default: No message.
-
@@ -51394,23 +57987,40 @@ Default: No message.
text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Message title for users attempting to log on
LastWrite
- NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+ InteractiveLogon_SmartCardRemovalBehavior
- Network access: Restrict clients allowed to make remote calls to SAM
+ 0
+ Interactive logon: Smart card removal behavior
-This policy setting allows you to restrict remote rpc connections to SAM.
+This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
-If not selected, the default security descriptor will be used.
+The options are:
-This policy is supported on at least Windows Server 2016.
-
+ No Action
+ Lock Workstation
+ Force Logoff
+ Disconnect if a Remote Desktop Services session
+
+If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
+
+If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.
+
+If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.
+
+Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+Default: This policy is not defined, which means that the system treats it as No action.
+
+On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
@@ -51424,19 +58034,41 @@ This policy is supported on at least Windows Server 2016.
text/plain
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Interactive logon: Smart card removal behavior
LastWrite
- NetworkSecurity_AllowPKU2UAuthenticationRequests
+ MicrosoftNetworkClient_DigitallySignCommunicationsAlways
- Network security: Allow PKU2U authentication requests to this computer to use online identities.
+ 0
+ Microsoft network client: Digitally sign communications (always)
-This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
- 1
+This security setting determines whether packet signing is required by the SMB client component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
+
+Default: Disabled.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
@@ -51449,16 +58081,579 @@ This policy will be turned off by default on domain joined machines. This would
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Digitally sign communications (always)
LastWrite
+
+ MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
+
+
+
+
+ 1
+ Microsoft network client: Digitally sign communications (if server agrees)
+
+This security setting determines whether the SMB client attempts to negotiate SMB packet signing.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.
+
+If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Digitally sign communications (if server agrees)
+ LastWrite
+
+
+
+ MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
+
+
+
+
+ 0
+ Microsoft network client: Send unencrypted password to connect to third-party SMB servers
+
+If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
+
+Sending unencrypted passwords is a security risk.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network client: Send unencrypted password to third-party SMB servers
+ LastWrite
+
+
+
+ MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession
+
+
+
+
+ 15
+ Microsoft network server: Amount of idle time required before suspending a session
+
+This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
+
+Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
+
+For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
+
+Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Amount of idle time required before suspending session
+ LowestValueMostSecure
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsAlways
+
+
+
+
+ 0
+ Microsoft network server: Digitally sign communications (always)
+
+This security setting determines whether packet signing is required by the SMB server component.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
+
+If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
+
+Default:
+
+Disabled for member servers.
+Enabled for domain controllers.
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
+If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
+
+Important
+
+For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
+Microsoft network server: Digitally sign communications (if server agrees)
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
+HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Digitally sign communications (always)
+ LastWrite
+
+
+
+ MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
+
+
+
+
+ 0
+ Microsoft network server: Digitally sign communications (if client agrees)
+
+This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.
+
+The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.
+
+If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.
+
+Default: Enabled on domain controllers only.
+
+Important
+
+For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
+
+Notes
+
+All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
+Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
+Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
+SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
+For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Microsoft network server: Digitally sign communications (if client agrees)
+ LastWrite
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
+
+
+
+
+ 1
+ Network access: Do not allow anonymous enumeration of SAM accounts
+
+This security setting determines what additional permissions will be granted for anonymous connections to the computer.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.
+
+This security option allows additional restrictions to be placed on anonymous connections as follows:
+
+Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
+Disabled: No additional restrictions. Rely on default permissions.
+
+Default on workstations: Enabled.
+Default on server:Enabled.
+
+Important
+
+This policy has no impact on domain controllers.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Do not allow anonymous enumeration of SAM accounts
+ LastWrite
+
+
+
+ NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
+
+
+
+
+ 0
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+
+This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.
+
+Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
+
+Default: Disabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Do not allow anonymous enumeration of SAM accounts and shares
+ LastWrite
+
+
+
+ NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
+
+
+
+
+ 1
+ Network access: Restrict anonymous access to Named Pipes and Shares
+
+When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
+
+Network access: Named pipes that can be accessed anonymously
+Network access: Shares that can be accessed anonymously
+Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Restrict anonymous access to Named Pipes and Shares
+ LastWrite
+
+
+
+ NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
+
+
+
+
+
+ Network access: Restrict clients allowed to make remote calls to SAM
+
+This policy setting allows you to restrict remote rpc connections to SAM.
+
+If not selected, the default security descriptor will be used.
+
+This policy is supported on at least Windows Server 2016.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network access: Restrict clients allowed to make remote calls to SAM
+ LastWrite
+
+
+
+ NetworkSecurity_AllowPKU2UAuthenticationRequests
+
+
+
+
+ 1
+ Network security: Allow PKU2U authentication requests to this computer to use online identities.
+
+This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Allow PKU2U authentication requests to this computer to use online identities.
+ LastWrite
+
+
+
+ NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
+
+
+
+
+ 1
+ Network security: Do not store LAN Manager hash value on next password change
+
+This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
+
+
+Default on Windows Vista and above: Enabled
+Default on Windows XP: Disabled.
+
+Important
+
+Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Do not store LAN Manager hash value on next password change
+ LastWrite
+
+
+
+ NetworkSecurity_LANManagerAuthenticationLevel
+
+
+
+
+ 0
+ Network security LAN Manager authentication level
+
+This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:
+
+Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
+
+Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
+
+Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
+
+Important
+
+This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.
+
+Default:
+
+Windows 2000 and windows XP: send LM and NTLM responses
+
+Windows Server 2003: Send NTLM response only
+
+Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: LAN Manager authentication level
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
+
+
+
+
+ 0
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+
+This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
+Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
+ HighestValueMostSecure
+
+
+
+ NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
+
+
+
+
+ 0
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+
+This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
+
+Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
+Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.
+
+Default:
+
+Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
+
+Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
+ HighestValueMostSecure
+
+
Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
+ 1
Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without having to log on to Windows.
@@ -51469,7 +58664,6 @@ When this policy is disabled, the option to shut down the computer does not appe
Default on workstations: Enabled.
Default on servers: Disabled.
- 1
@@ -51482,7 +58676,10 @@ Default on servers: Disabled.
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Shutdown: Allow system to be shut down without having to log on
LastWrite
@@ -51492,6 +58689,7 @@ Default on servers: Disabled.
+ 0
Shutdown: Clear virtual memory pagefile
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.
@@ -51501,7 +58699,6 @@ Virtual memory support uses a system pagefile to swap pages of memory to disk wh
When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.
Default: Disabled.
- 0
@@ -51514,7 +58711,10 @@ Default: Disabled.
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ Shutdown: Clear virtual memory pagefile
LastWrite
@@ -51524,6 +58724,7 @@ Default: Disabled.
+ 0
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
@@ -51531,7 +58732,6 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
- 0
@@ -51544,7 +58744,10 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
LastWrite
@@ -51554,6 +58757,7 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
+ 5
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
This policy setting controls the behavior of the elevation prompt for administrators.
@@ -51571,7 +58775,6 @@ The options are:
• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
- 5
@@ -51584,7 +58787,10 @@ The options are:
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
LastWrite
@@ -51594,6 +58800,7 @@ The options are:
+ 3
User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
@@ -51604,7 +58811,6 @@ The options are:
• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
- 3
@@ -51619,6 +58825,8 @@ The options are:
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Behavior of the elevation prompt for standard users
LastWrite
@@ -51628,6 +58836,7 @@ The options are:
+ 1
User Account Control: Detect application installations and prompt for elevation
This policy setting controls the behavior of application installation detection for the computer.
@@ -51637,7 +58846,6 @@ The options are:
Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.
- 1
@@ -51650,7 +58858,10 @@ Disabled: Application installation packages are not detected and prompted for el
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Detect application installations and prompt for elevation
LastWrite
@@ -51660,6 +58871,7 @@ Disabled: Application installation packages are not detected and prompted for el
+ 0
User Account Control: Only elevate executable files that are signed and validated
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
@@ -51669,7 +58881,6 @@ The options are:
• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.
• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.
- 0
@@ -51682,7 +58893,10 @@ The options are:
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Only elevate executables that are signed and validated
LastWrite
@@ -51692,6 +58906,7 @@ The options are:
+ 1
User Account Control: Only elevate UIAccess applications that are installed in secure locations
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
@@ -51707,7 +58922,6 @@ The options are:
• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.
- 1
@@ -51720,7 +58934,10 @@ The options are:
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Only elevate UIAccess applications that are installed in secure locations
LastWrite
@@ -51730,6 +58947,7 @@ The options are:
+ 1
User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
@@ -51739,7 +58957,6 @@ The options are:
• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
- 1
@@ -51752,7 +58969,10 @@ The options are:
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Run all administrators in Admin Approval Mode
LastWrite
@@ -51762,6 +58982,7 @@ The options are:
+ 1
User Account Control: Switch to the secure desktop when prompting for elevation
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.
@@ -51771,7 +58992,6 @@ The options are:
• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
- 1
@@ -51784,7 +59004,10 @@ The options are:
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Switch to the secure desktop when prompting for elevation
LastWrite
@@ -51794,6 +59017,7 @@ The options are:
+ 0
User Account Control: Use Admin Approval Mode for the built-in Administrator account
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
@@ -51803,7 +59027,6 @@ The options are:
• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
- 0
@@ -51816,7 +59039,10 @@ The options are:
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Admin Approval Mode for the Built-in Administrator account
LastWrite
@@ -51826,6 +59052,7 @@ The options are:
+ 1
User Account Control: Virtualize file and registry write failures to per-user locations
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
@@ -51835,7 +59062,6 @@ The options are:
• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
• Disabled: Applications that write data to protected locations fail.
- 1
@@ -51848,7 +59074,10 @@ The options are:
text/plain
+
phone
+ Windows Settings~Security Settings~Local Policies~Security Options
+ User Account Control: Virtualize file and registry write failures to per-user locations
LastWrite
@@ -51878,8 +59107,8 @@ The options are:
-
0
+
@@ -51892,6 +59121,10 @@ The options are:
text/plain
+
+ LocationProviderAdm.admx
+ LocationProviderAdm~AT~LocationAndSensors~WindowsLocationProvider
+ DisableWindowsLocationProvider_1
LastWrite
@@ -51921,8 +59154,8 @@ The options are:
-
1
+
@@ -51937,6 +59170,9 @@ The options are:
phone
+ EdgeUI.admx
+ EdgeUI~AT~WindowsComponents~EdgeUI
+ AllowEdgeSwipe
LowestValueMostSecure
@@ -51966,8 +59202,8 @@ The options are:
-
65535
+
@@ -51990,8 +59226,8 @@ The options are:
-
65535
+
@@ -52005,6 +59241,9 @@ The options are:
text/plain
+ WinMaps.admx
+ WinMaps~AT~WindowsComponents~Maps
+ TurnOffAutoUpdate
LastWrite
@@ -52034,8 +59273,8 @@ The options are:
- This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.
1
+ This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.
@@ -52048,6 +59287,10 @@ The options are:
text/plain
+
+ messaging.admx
+ messaging~AT~WindowsComponents~Messaging_Category
+ AllowMessageSync
LowestValueMostSecure
@@ -52057,8 +59300,8 @@ The options are:
- This policy setting allows you to enable or disable the sending and receiving cellular MMS messages.
1
+ This policy setting allows you to enable or disable the sending and receiving cellular MMS messages.
@@ -52071,6 +59314,7 @@ The options are:
text/plain
+
desktop
LowestValueMostSecure
@@ -52081,8 +59325,8 @@ The options are:
- This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages.
1
+ This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages.
@@ -52095,11 +59339,295 @@ The options are:
text/plain
+
desktop
LowestValueMostSecure
+
+ MSSecurityGuide
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0201_LATFP
+ LastWrite
+
+
+
+ ConfigureSMBV1ClientDriver
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0002_SMBv1_ClientDriver
+ LastWrite
+
+
+
+ ConfigureSMBV1Server
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0001_SMBv1_Server
+ LastWrite
+
+
+
+ EnableStructuredExceptionHandlingOverwriteProtection
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0102_SEHOP
+ LastWrite
+
+
+
+ WDigestAuthentication
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ SecGuide.admx
+ SecGuide~AT~Cat_SecGuide
+ Pol_SecGuide_0202_WDigestAuthn
+ LastWrite
+
+
+
+
+ MSSLegacy
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_EnableICMPRedirect
+ LastWrite
+
+
+
+ AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_NoNameReleaseOnDemand
+ LastWrite
+
+
+
+ IPSourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_DisableIPSourceRouting
+ LastWrite
+
+
+
+ IPv6SourceRoutingProtectionLevel
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ mss-legacy.admx
+ Mss-legacy~AT~Cat_MSS
+ Pol_MSS_DisableIPSourceRoutingIPv6
+ LastWrite
+
+
+
NetworkIsolation
@@ -52125,8 +59653,8 @@ The options are:
-
+
@@ -52139,6 +59667,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_EnterpriseCloudResourcesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_EnterpriseCloudResources
LastWrite
@@ -52148,8 +59680,8 @@ The options are:
-
+
@@ -52162,6 +59694,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_Intranet_ProxiesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Intranet_Proxies
LastWrite
@@ -52171,8 +59707,8 @@ The options are:
-
+
@@ -52185,6 +59721,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_PrivateSubnetBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_PrivateSubnet
LastWrite
@@ -52194,8 +59734,8 @@ The options are:
-
0
+
@@ -52208,6 +59748,10 @@ The options are:
text/plain
+
+ NetworkIsolation.admx
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Authoritative_Subnet
LastWrite
@@ -52217,8 +59761,8 @@ The options are:
-
+
@@ -52240,8 +59784,8 @@ The options are:
-
+
@@ -52254,6 +59798,10 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_Domain_ProxiesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Domain_Proxies
LastWrite
@@ -52263,8 +59811,8 @@ The options are:
-
0
+
@@ -52277,6 +59825,10 @@ The options are:
text/plain
+
+ NetworkIsolation.admx
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_Authoritative_Proxies
LastWrite
@@ -52286,8 +59838,8 @@ The options are:
-
+
@@ -52300,10 +59852,61 @@ The options are:
text/plain
+ NetworkIsolation.admx
+ WF_NetIsolation_NeutralResourcesBox
+ NetworkIsolation~AT~Network~WF_Isolation
+ WF_NetIsolation_NeutralResources
LastWrite
+
+ Notifications
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DisallowCloudNotification
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ WPN.admx
+ WPN~AT~StartMenu~NotificationsCategory
+ NoCloudNotification
+ LowestValueMostSecure
+
+
+
Power
@@ -52323,14 +59926,41 @@ The options are:
+
+ AllowStandbyStatesWhenSleepingOnBattery
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ power.admx
+ Power~AT~System~PowerManagementCat~PowerSleepSettingsCat
+ AllowStandbyStatesDC_2
+ LastWrite
+
+
AllowStandbyWhenSleepingPluggedIn
-
+
@@ -52356,8 +59986,8 @@ The options are:
-
+
@@ -52383,8 +60013,8 @@ The options are:
-
+
@@ -52410,8 +60040,8 @@ The options are:
-
+
@@ -52437,8 +60067,8 @@ The options are:
-
+
@@ -52464,8 +60094,8 @@ The options are:
-
+
@@ -52491,8 +60121,8 @@ The options are:
-
+
@@ -52518,8 +60148,8 @@ The options are:
-
+
@@ -52545,8 +60175,8 @@ The options are:
-
+
@@ -52592,8 +60222,8 @@ The options are:
-
+
@@ -52619,8 +60249,8 @@ The options are:
-
+
@@ -52666,8 +60296,8 @@ The options are:
-
0
+
@@ -52690,8 +60320,8 @@ The options are:
-
1
+
@@ -52706,6 +60336,9 @@ The options are:
10.0.10240
+ Globalization.admx
+ Globalization~AT~ControlPanel~RegionalOptions
+ AllowInputPersonalization
LowestValueMostSecure
@@ -52715,8 +60348,8 @@ The options are:
-
65535
+
@@ -52730,6 +60363,9 @@ The options are:
text/plain
+ UserProfiles.admx
+ UserProfiles~AT~System~UserProfiles
+ DisableAdvertisingId
LowestValueMostSecureZeroHasNoLimits
@@ -52739,8 +60375,8 @@ The options are:
- Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.
1
+ Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user.
@@ -52754,6 +60390,9 @@ The options are:
text/plain
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ EnableActivityFeed
HighestValueMostSecure
@@ -52763,8 +60402,8 @@ The options are:
- This policy setting specifies whether Windows apps can access account information.
0
+ This policy setting specifies whether Windows apps can access account information.
@@ -52777,6 +60416,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfo
HighestValueMostSecure
@@ -52786,8 +60430,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52800,6 +60444,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfo
LastWrite
;
@@ -52810,8 +60458,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52824,6 +60472,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfo
LastWrite
;
@@ -52834,8 +60486,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -52848,6 +60500,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessAccountInfo_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessAccountInfo
LastWrite
;
@@ -52858,8 +60514,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the calendar.
0
+ This policy setting specifies whether Windows apps can access the calendar.
@@ -52872,6 +60528,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCalendar_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendar
HighestValueMostSecure
@@ -52881,8 +60542,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52895,6 +60556,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendar
LastWrite
;
@@ -52905,8 +60570,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52919,6 +60584,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendar
LastWrite
;
@@ -52929,8 +60598,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -52943,6 +60612,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCalendar_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCalendar
LastWrite
;
@@ -52953,8 +60626,8 @@ The options are:
- This policy setting specifies whether Windows apps can access call history.
0
+ This policy setting specifies whether Windows apps can access call history.
@@ -52967,6 +60640,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistory
HighestValueMostSecure
@@ -52976,8 +60654,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -52990,6 +60668,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistory
LastWrite
;
@@ -53000,8 +60682,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -53014,6 +60696,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistory
LastWrite
;
@@ -53024,8 +60710,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -53038,6 +60724,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCallHistory_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCallHistory
LastWrite
;
@@ -53048,8 +60738,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the camera.
0
+ This policy setting specifies whether Windows apps can access the camera.
@@ -53062,6 +60752,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessCamera_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCamera
HighestValueMostSecure
@@ -53071,8 +60766,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53085,6 +60780,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCamera
LastWrite
;
@@ -53095,8 +60794,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53109,6 +60808,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCamera
LastWrite
;
@@ -53119,8 +60822,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -53133,6 +60836,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessCamera_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessCamera
LastWrite
;
@@ -53143,8 +60850,8 @@ The options are:
- This policy setting specifies whether Windows apps can access contacts.
0
+ This policy setting specifies whether Windows apps can access contacts.
@@ -53157,6 +60864,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessContacts_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContacts
HighestValueMostSecure
@@ -53166,8 +60878,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53180,6 +60892,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContacts
LastWrite
;
@@ -53190,8 +60906,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53204,6 +60920,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContacts
LastWrite
;
@@ -53214,8 +60934,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -53228,6 +60948,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessContacts_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessContacts
LastWrite
;
@@ -53238,8 +60962,8 @@ The options are:
- This policy setting specifies whether Windows apps can access email.
0
+ This policy setting specifies whether Windows apps can access email.
@@ -53252,6 +60976,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
HighestValueMostSecure
@@ -53261,8 +60990,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -53275,6 +61004,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessEmail_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
LastWrite
;
@@ -53285,8 +61018,88 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessEmail_UserInControlOfTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessEmail_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessEmail
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessGazeInput
+
+
+
+
+ 0
+ This policy setting specifies whether Windows apps can access the eye tracker.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ LetAppsAccessGazeInput_ForceAllowTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -53304,13 +61117,37 @@ The options are:
- LetAppsAccessEmail_UserInControlOfTheseApps
+ LetAppsAccessGazeInput_ForceDenyTheseApps
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ LastWrite
+ ;
+
+
+
+ LetAppsAccessGazeInput_UserInControlOfTheseApps
+
+
+
+
+
+ List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps.
@@ -53333,8 +61170,8 @@ The options are:
- This policy setting specifies whether Windows apps can access location.
0
+ This policy setting specifies whether Windows apps can access location.
@@ -53347,6 +61184,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessLocation_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocation
HighestValueMostSecure
@@ -53356,8 +61198,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53370,6 +61212,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocation
LastWrite
;
@@ -53380,8 +61226,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53394,6 +61240,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocation
LastWrite
;
@@ -53404,8 +61254,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -53418,6 +61268,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessLocation_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessLocation
LastWrite
;
@@ -53428,8 +61282,8 @@ The options are:
- This policy setting specifies whether Windows apps can read or send messages (text or MMS).
0
+ This policy setting specifies whether Windows apps can read or send messages (text or MMS).
@@ -53442,6 +61296,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMessaging_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessaging
HighestValueMostSecure
@@ -53451,8 +61310,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53465,6 +61324,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessaging
LastWrite
;
@@ -53475,8 +61338,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53489,6 +61352,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessaging
LastWrite
;
@@ -53499,8 +61366,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -53513,6 +61380,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMessaging_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMessaging
LastWrite
;
@@ -53523,8 +61394,8 @@ The options are:
- This policy setting specifies whether Windows apps can access the microphone.
0
+ This policy setting specifies whether Windows apps can access the microphone.
@@ -53537,6 +61408,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophone
HighestValueMostSecure
@@ -53546,8 +61422,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53560,6 +61436,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophone
LastWrite
;
@@ -53570,8 +61450,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53584,6 +61464,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophone
LastWrite
;
@@ -53594,8 +61478,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -53608,6 +61492,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMicrophone_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMicrophone
LastWrite
;
@@ -53618,8 +61506,8 @@ The options are:
- This policy setting specifies whether Windows apps can access motion data.
0
+ This policy setting specifies whether Windows apps can access motion data.
@@ -53632,6 +61520,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessMotion_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotion
HighestValueMostSecure
@@ -53641,8 +61534,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53655,6 +61548,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotion
LastWrite
;
@@ -53665,8 +61562,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53679,6 +61576,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotion
LastWrite
;
@@ -53689,8 +61590,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -53703,6 +61604,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessMotion_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessMotion
LastWrite
;
@@ -53713,8 +61618,8 @@ The options are:
- This policy setting specifies whether Windows apps can access notifications.
0
+ This policy setting specifies whether Windows apps can access notifications.
@@ -53727,6 +61632,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessNotifications_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotifications
HighestValueMostSecure
@@ -53736,8 +61646,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53750,6 +61660,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotifications
LastWrite
;
@@ -53760,8 +61674,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53774,6 +61688,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotifications
LastWrite
;
@@ -53784,8 +61702,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -53798,6 +61716,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessNotifications_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessNotifications
LastWrite
;
@@ -53808,8 +61730,8 @@ The options are:
- This policy setting specifies whether Windows apps can make phone calls
0
+ This policy setting specifies whether Windows apps can make phone calls
@@ -53822,6 +61744,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessPhone_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhone
HighestValueMostSecure
@@ -53831,8 +61758,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53845,6 +61772,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhone
LastWrite
;
@@ -53855,8 +61786,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53869,6 +61800,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhone
LastWrite
;
@@ -53879,8 +61814,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -53893,6 +61828,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessPhone_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessPhone
LastWrite
;
@@ -53903,8 +61842,8 @@ The options are:
- This policy setting specifies whether Windows apps have access to control radios.
0
+ This policy setting specifies whether Windows apps have access to control radios.
@@ -53917,6 +61856,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessRadios_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadios
HighestValueMostSecure
@@ -53926,8 +61870,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53940,6 +61884,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadios
LastWrite
;
@@ -53950,8 +61898,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53964,6 +61912,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadios
LastWrite
;
@@ -53974,8 +61926,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -53988,6 +61940,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessRadios_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessRadios
LastWrite
;
@@ -53998,8 +61954,8 @@ The options are:
- This policy setting specifies whether Windows apps can access tasks.
0
+ This policy setting specifies whether Windows apps can access tasks.
@@ -54012,6 +61968,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessTasks_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasks
HighestValueMostSecure
@@ -54021,8 +61982,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54035,6 +61996,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasks
LastWrite
;
@@ -54045,8 +62010,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54059,6 +62024,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasks
LastWrite
;
@@ -54069,8 +62038,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -54083,6 +62052,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTasks_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTasks
LastWrite
;
@@ -54093,8 +62066,8 @@ The options are:
- This policy setting specifies whether Windows apps can access trusted devices.
0
+ This policy setting specifies whether Windows apps can access trusted devices.
@@ -54107,6 +62080,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevices
HighestValueMostSecure
@@ -54116,8 +62094,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54130,6 +62108,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevices
LastWrite
;
@@ -54140,8 +62122,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54154,6 +62136,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevices
LastWrite
;
@@ -54164,8 +62150,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -54178,6 +62164,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsAccessTrustedDevices
LastWrite
;
@@ -54188,8 +62178,8 @@ The options are:
- This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names.
0
+ This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names.
@@ -54202,6 +62192,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfo
HighestValueMostSecure
@@ -54211,8 +62206,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54225,6 +62220,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfo
LastWrite
;
@@ -54235,8 +62234,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54249,6 +62248,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfo
LastWrite
;
@@ -54259,8 +62262,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps.
@@ -54273,6 +62276,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsGetDiagnosticInfo
LastWrite
;
@@ -54283,8 +62290,8 @@ The options are:
- This policy setting specifies whether Windows apps can run in the background.
0
+ This policy setting specifies whether Windows apps can run in the background.
@@ -54297,6 +62304,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsRunInBackground_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackground
HighestValueMostSecure
@@ -54306,8 +62318,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54320,6 +62332,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackground
LastWrite
;
@@ -54330,8 +62346,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54344,6 +62360,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackground
LastWrite
;
@@ -54354,8 +62374,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
+ List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps.
@@ -54368,6 +62388,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsRunInBackground_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsRunInBackground
LastWrite
;
@@ -54378,8 +62402,8 @@ The options are:
- This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.
0
+ This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.
@@ -54392,6 +62416,11 @@ The options are:
text/plain
+
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_Enum
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevices
HighestValueMostSecure
@@ -54401,8 +62430,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54415,6 +62444,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_ForceAllowTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevices
LastWrite
;
@@ -54425,8 +62458,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54439,6 +62472,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_ForceDenyTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevices
LastWrite
;
@@ -54449,8 +62486,8 @@ The options are:
- List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -54463,6 +62500,10 @@ The options are:
text/plain
+ AppPrivacy.admx
+ LetAppsSyncWithDevices_UserInControlOfTheseApps_List
+ AppPrivacy~AT~WindowsComponents~AppPrivacy
+ LetAppsSyncWithDevices
LastWrite
;
@@ -54473,8 +62514,8 @@ The options are:
- Allows apps/system to publish 'User Activities' into ActivityFeed.
1
+ Allows apps/system to publish 'User Activities' into ActivityFeed.
@@ -54488,6 +62529,36 @@ The options are:
text/plain
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ PublishUserActivities
+ HighestValueMostSecure
+
+
+
+ UploadUserActivities
+
+
+
+
+ 1
+ Allows ActivityFeed to upload published 'User Activities'.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ OSPolicy.admx
+ OSPolicy~AT~System~PolicyPolicies
+ UploadUserActivities
HighestValueMostSecure
@@ -54517,8 +62588,8 @@ The options are:
-
+
@@ -54544,8 +62615,8 @@ The options are:
-
+
@@ -54571,8 +62642,8 @@ The options are:
-
+
@@ -54598,8 +62669,8 @@ The options are:
-
+
@@ -54645,8 +62716,8 @@ The options are:
-
+
@@ -54672,8 +62743,8 @@ The options are:
-
+
@@ -54699,8 +62770,8 @@ The options are:
-
+
@@ -54726,8 +62797,8 @@ The options are:
-
+
@@ -54753,8 +62824,8 @@ The options are:
-
+
@@ -54780,8 +62851,8 @@ The options are:
-
+
@@ -54827,8 +62898,8 @@ The options are:
-
+
@@ -54854,8 +62925,8 @@ The options are:
-
+
@@ -54881,8 +62952,8 @@ The options are:
-
+
@@ -54908,8 +62979,8 @@ The options are:
-
+
@@ -54935,8 +63006,8 @@ The options are:
-
+
@@ -54962,8 +63033,8 @@ The options are:
-
+
@@ -54989,8 +63060,8 @@ The options are:
-
+
@@ -55016,8 +63087,8 @@ The options are:
-
+
@@ -55043,8 +63114,8 @@ The options are:
-
+
@@ -55070,8 +63141,8 @@ The options are:
-
+
@@ -55097,8 +63168,8 @@ The options are:
-
+
@@ -55124,8 +63195,8 @@ The options are:
-
+
@@ -55151,8 +63222,8 @@ The options are:
-
+
@@ -55178,8 +63249,8 @@ The options are:
-
+
@@ -55205,8 +63276,8 @@ The options are:
-
+
@@ -55252,8 +63323,8 @@ The options are:
-
+
@@ -55279,8 +63350,8 @@ The options are:
-
+
@@ -55326,8 +63397,8 @@ The options are:
-
+
@@ -55353,8 +63424,8 @@ The options are:
-
+
@@ -55380,8 +63451,8 @@ The options are:
-
+
@@ -55407,8 +63478,8 @@ The options are:
-
+
@@ -55434,8 +63505,8 @@ The options are:
-
+
@@ -55461,8 +63532,8 @@ The options are:
-
+
@@ -55488,8 +63559,8 @@ The options are:
-
+
@@ -55510,6 +63581,51 @@ The options are:
+
+ RestrictedGroups
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureGroupMembership
+
+
+
+
+
+ This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
+Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ LastWrite
+
+
+
Search
@@ -55535,8 +63651,8 @@ The options are:
-
2
+
@@ -55549,6 +63665,39 @@ The options are:
text/plain
+
+ Search.admx
+ AllowCloudSearch_Dropdown
+ Search~AT~WindowsComponents~Search
+ AllowCloudSearch
+ LowestValueMostSecure
+
+
+
+ AllowCortanaInAAD
+
+
+
+
+ 0
+ This features allows you to show the cortana opt-in page during Windows Setup
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowCortanaInAAD
LowestValueMostSecure
@@ -55558,8 +63707,8 @@ The options are:
-
0
+
@@ -55573,6 +63722,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowIndexingEncryptedStoresOrItems
LowestValueMostSecure
@@ -55582,8 +63734,8 @@ The options are:
-
1
+
@@ -55597,6 +63749,9 @@ The options are:
text/plain
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowSearchToUseLocation
LowestValueMostSecure
@@ -55606,8 +63761,8 @@ The options are:
-
1
+
@@ -55630,8 +63785,8 @@ The options are:
-
0
+
@@ -55644,6 +63799,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AllowUsingDiacritics
HighestValueMostSecure
@@ -55653,8 +63812,8 @@ The options are:
-
3
+
@@ -55667,6 +63826,7 @@ The options are:
text/plain
+
LowestValueMostSecure
@@ -55676,8 +63836,8 @@ The options are:
-
0
+
@@ -55690,6 +63850,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ AlwaysUseAutoLangDetection
HighestValueMostSecure
@@ -55699,8 +63863,8 @@ The options are:
-
0
+
@@ -55713,6 +63877,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DisableBackoff
HighestValueMostSecure
@@ -55722,8 +63890,8 @@ The options are:
-
0
+
@@ -55736,17 +63904,48 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DisableRemovableDriveIndexing
HighestValueMostSecure
+
+ DoNotUseWebResults
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ DoNotUseWebResults
+ LowestValueMostSecure
+
+
PreventIndexingLowDiskSpaceMB
-
1
+
@@ -55759,6 +63958,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ StopIndexingOnLimitedHardDriveSpace
HighestValueMostSecure
@@ -55768,8 +63971,8 @@ The options are:
-
1
+
@@ -55782,6 +63985,10 @@ The options are:
text/plain
+
+ Search.admx
+ Search~AT~WindowsComponents~Search
+ PreventRemoteQueries
HighestValueMostSecure
@@ -55791,8 +63998,8 @@ The options are:
-
1
+
@@ -55805,6 +64012,7 @@ The options are:
text/plain
+
desktop
HighestValueMostSecure
@@ -55835,8 +64043,8 @@ The options are:
-
1
+
@@ -55859,8 +64067,8 @@ The options are:
-
1
+
@@ -55884,8 +64092,8 @@ The options are:
-
1
+
@@ -55908,8 +64116,8 @@ The options are:
-
1
+
@@ -55933,8 +64141,8 @@ The options are:
-
0
+
@@ -55949,17 +64157,20 @@ The options are:
phone
+ TPM.admx
+ TPM~AT~System~TPMCategory
+ ClearTPMIfNotReady_Name
HighestValueMostSecure
- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+ ConfigureWindowsPasswords
-
- 0
+ 2
+ Configures the use of passwords for Windows features
@@ -55972,6 +64183,32 @@ The options are:
text/plain
+
+ phone
+ LastWrite
+
+
+
+ PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
LastWrite
@@ -55981,8 +64218,8 @@ The options are:
-
0
+
@@ -55995,6 +64232,7 @@ The options are:
text/plain
+
HighestValueMostSecure
@@ -56004,8 +64242,8 @@ The options are:
-
0
+
@@ -56018,6 +64256,7 @@ The options are:
text/plain
+
HighestValueMostSecure
@@ -56027,8 +64266,8 @@ The options are:
-
0
+
@@ -56041,6 +64280,7 @@ The options are:
text/plain
+
HighestValueMostSecure
@@ -56070,8 +64310,8 @@ The options are:
-
1
+
@@ -56095,8 +64335,8 @@ The options are:
-
1
+
@@ -56119,8 +64359,8 @@ The options are:
-
1
+
@@ -56143,8 +64383,8 @@ The options are:
-
1
+
@@ -56167,8 +64407,8 @@ The options are:
-
1
+
@@ -56192,8 +64432,8 @@ The options are:
-
1
+
@@ -56207,6 +64447,10 @@ The options are:
text/plain
+ ControlPanel.admx
+ CheckBox_AllowOnlineTips
+ ControlPanel~AT~ControlPanel
+ AllowOnlineTips
LowestValueMostSecure
@@ -56216,8 +64460,8 @@ The options are:
-
1
+
@@ -56241,8 +64485,8 @@ The options are:
-
1
+
@@ -56266,8 +64510,8 @@ The options are:
-
1
+
@@ -56291,8 +64535,8 @@ The options are:
-
1
+
@@ -56315,8 +64559,8 @@ The options are:
-
1
+
@@ -56340,8 +64584,8 @@ The options are:
-
1
+
@@ -56364,8 +64608,8 @@ The options are:
-
+
@@ -56378,6 +64622,10 @@ The options are:
text/plain
+ ControlPanel.admx
+ SettingsPageVisibilityBox
+ ControlPanel~AT~ControlPanel
+ SettingsPageVisibility
LastWrite
@@ -56407,8 +64655,8 @@ The options are:
-
0
+
@@ -56423,6 +64671,9 @@ The options are:
phone
+ SmartScreen.admx
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ConfigureAppInstallControl
HighestValueMostSecure
@@ -56432,8 +64683,8 @@ The options are:
-
1
+
@@ -56448,6 +64699,9 @@ The options are:
phone
+ SmartScreen.admx
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ShellConfigureSmartScreen
HighestValueMostSecure
@@ -56457,8 +64711,8 @@ The options are:
-
0
+
@@ -56473,6 +64727,10 @@ The options are:
phone
+ SmartScreen.admx
+ ShellConfigureSmartScreen_Dropdown
+ SmartScreen~AT~WindowsComponents~SmartScreen~Shell
+ ShellConfigureSmartScreen
HighestValueMostSecure
@@ -56502,8 +64760,8 @@ The options are:
-
1
+
@@ -56517,6 +64775,9 @@ The options are:
text/plain
+ Speech.admx
+ Speech~AT~WindowsComponents~Speech
+ AllowSpeechModelUpdate
LowestValueMostSecure
@@ -56546,8 +64807,8 @@ The options are:
- This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56571,8 +64832,8 @@ The options are:
- This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56596,8 +64857,8 @@ The options are:
- This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56621,8 +64882,8 @@ The options are:
- This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56646,8 +64907,8 @@ The options are:
- This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56671,8 +64932,8 @@ The options are:
- This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56696,8 +64957,8 @@ The options are:
- This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56721,8 +64982,8 @@ The options are:
- This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56746,8 +65007,8 @@ The options are:
- This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56771,8 +65032,8 @@ The options are:
- This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
65535
+ This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user.
@@ -56791,13 +65052,13 @@ The options are:
- ForceStartSize
+ DisableContextMenus
-
0
+ Enabling this policy prevents context menus from being invoked in the Start Menu.
@@ -56810,6 +65071,35 @@ The options are:
text/plain
+
+ phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ DisableContextMenusInStart
+ LowestValueMostSecure
+
+
+
+ ForceStartSize
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
phone
LastWrite
@@ -56820,8 +65110,8 @@ The options are:
- Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app.
0
+ Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app.
@@ -56834,6 +65124,7 @@ The options are:
text/plain
+
phone
LastWrite
@@ -56844,8 +65135,8 @@ The options are:
- Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu.
0
+ Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu.
@@ -56868,8 +65159,8 @@ The options are:
- Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
0
+ Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
@@ -56893,8 +65184,8 @@ The options are:
- Enabling this policy hides "Hibernate" from appearing in the power button in the start menu.
0
+ Enabling this policy hides "Hibernate" from appearing in the power button in the start menu.
@@ -56917,8 +65208,8 @@ The options are:
- Enabling this policy hides "Lock" from appearing in the user tile in the start menu.
0
+ Enabling this policy hides "Lock" from appearing in the user tile in the start menu.
@@ -56941,8 +65232,8 @@ The options are:
- Enabling this policy hides the power button from appearing in the start menu.
0
+ Enabling this policy hides the power button from appearing in the start menu.
@@ -56965,8 +65256,8 @@ The options are:
- Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app.
0
+ Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app.
@@ -56990,8 +65281,8 @@ The options are:
- Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
0
+ Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app.
@@ -57006,6 +65297,9 @@ The options are:
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ HideRecentlyAddedApps
LowestValueMostSecure
@@ -57015,8 +65309,8 @@ The options are:
- Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu.
0
+ Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu.
@@ -57039,8 +65333,8 @@ The options are:
- Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu.
0
+ Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu.
@@ -57063,8 +65357,8 @@ The options are:
- Enabling this policy hides "Sign out" from appearing in the user tile in the start menu.
0
+ Enabling this policy hides "Sign out" from appearing in the user tile in the start menu.
@@ -57087,8 +65381,8 @@ The options are:
- Enabling this policy hides "Sleep" from appearing in the power button in the start menu.
0
+ Enabling this policy hides "Sleep" from appearing in the power button in the start menu.
@@ -57111,8 +65405,8 @@ The options are:
- Enabling this policy hides "Switch account" from appearing in the user tile in the start menu.
0
+ Enabling this policy hides "Switch account" from appearing in the user tile in the start menu.
@@ -57135,8 +65429,8 @@ The options are:
- Enabling this policy hides the user tile from appearing in the start menu.
0
+ Enabling this policy hides the user tile from appearing in the start menu.
@@ -57159,8 +65453,8 @@ The options are:
- This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified.
+ This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified.
@@ -57183,8 +65477,8 @@ The options are:
- This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
0
+ This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
@@ -57208,8 +65502,8 @@ The options are:
-
+
@@ -57223,6 +65517,9 @@ The options are:
text/plain
phone
+ StartMenu.admx
+ StartMenu~AT~StartMenu
+ LockedStartLayout
LastWrite
@@ -57252,8 +65549,8 @@ The options are:
-
1
+
@@ -57266,7 +65563,11 @@ The options are:
text/plain
+
phone
+ StorageHealth.admx
+ StorageHealth~AT~System~StorageHealth
+ SH_AllowDiskHealthModelUpdates
LastWrite
@@ -57276,8 +65577,8 @@ The options are:
-
+
@@ -57323,8 +65624,8 @@ The options are:
-
2
+
@@ -57337,6 +65638,10 @@ The options are:
text/plain
+
+ AllowBuildPreview.admx
+ AllowBuildPreview~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowBuildPreview
LowestValueMostSecure
@@ -57346,8 +65651,8 @@ The options are:
-
0
+
@@ -57370,8 +65675,8 @@ The options are:
-
1
+
@@ -57384,6 +65689,7 @@ The options are:
text/plain
+
LowestValueMostSecure
@@ -57393,8 +65699,8 @@ The options are:
-
1
+
@@ -57408,6 +65714,9 @@ The options are:
text/plain
+ GroupPolicy.admx
+ GroupPolicy~AT~Network~NetworkFonts
+ EnableFontProviders
LowestValueMostSecure
@@ -57417,8 +65726,8 @@ The options are:
-
1
+
@@ -57431,6 +65740,10 @@ The options are:
text/plain
+
+ Sensors.admx
+ Sensors~AT~LocationAndSensors
+ DisableLocation_2
LowestValueMostSecure
@@ -57440,8 +65753,8 @@ The options are:
-
1
+
@@ -57464,8 +65777,8 @@ The options are:
-
3
+
@@ -57478,6 +65791,11 @@ The options are:
text/plain
+
+ DataCollection.admx
+ AllowTelemetry
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ AllowTelemetry
LowestValueMostSecure
@@ -57487,8 +65805,8 @@ The options are:
-
1
+
@@ -57511,8 +65829,8 @@ The options are:
-
+
@@ -57533,36 +65851,13 @@ The options are:
- DisableEnterpriseAuthProxy
+ ConfigureTelemetryOptInChangeNotification
- This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- LastWrite
-
-
-
- DisableOneDriveFileSync
-
-
-
-
- This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
0
+
@@ -57576,6 +65871,93 @@ The options are:
text/plain
+ DataCollection.admx
+ ConfigureTelemetryOptInChangeNotification
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ ConfigureTelemetryOptInChangeNotification
+ HighestValueMostSecure
+
+
+
+ ConfigureTelemetryOptInSettingsUx
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ ConfigureTelemetryOptInSettingsUx
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ ConfigureTelemetryOptInSettingsUx
+ HighestValueMostSecure
+
+
+
+ DisableEnterpriseAuthProxy
+
+
+
+
+ 0
+ This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ DisableEnterpriseAuthProxy
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ DisableEnterpriseAuthProxy
+ LastWrite
+
+
+
+ DisableOneDriveFileSync
+
+
+
+
+ 0
+ This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ SkyDrive.admx
+ SkyDrive~AT~WindowsComponents~OneDrive
+ PreventOnedriveFileSync
HighestValueMostSecure
@@ -57585,8 +65967,8 @@ The options are:
-
+
@@ -57612,31 +65994,8 @@ The options are:
+ 0
Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally.
- 0
-
-
-
-
-
-
-
-
-
-
- text/plain
-
- LastWrite
-
-
-
- LimitEnhancedDiagnosticDataWindowsAnalytics
-
-
-
-
- This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced) When you configure these policy settings, a Basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: https://go.microsoft.com/fwlink/?linkid=847594. Enabling Enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional Enhanced level telemetry data. This setting has no effect on computers configured to send Full, Basic or Security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy.
- 0
@@ -57650,6 +66009,34 @@ The options are:
text/plain
+ LastWrite
+
+
+
+ LimitEnhancedDiagnosticDataWindowsAnalytics
+
+
+
+
+ 0
+ This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ DataCollection.admx
+ LimitEnhancedDiagnosticDataWindowsAnalytics
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ LimitEnhancedDiagnosticDataWindowsAnalytics
LowestValueMostSecure
@@ -57659,8 +66046,8 @@ The options are:
-
+
@@ -57673,6 +66060,237 @@ The options are:
text/plain
+ DataCollection.admx
+ TelemetryProxyName
+ DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds
+ TelemetryProxy
+ LastWrite
+
+
+
+
+ SystemServices
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ConfigureHomeGroupListenerServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ HomeGroup Listener
+ LastWrite
+
+
+
+ ConfigureHomeGroupProviderServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ HomeGroup Provider
+ LastWrite
+
+
+
+ ConfigureXboxAccessoryManagementServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Accessory Management Service
+ LastWrite
+
+
+
+ ConfigureXboxLiveAuthManagerServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Auth Manager
+ LastWrite
+
+
+
+ ConfigureXboxLiveGameSaveServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Game Save
+ LastWrite
+
+
+
+ ConfigureXboxLiveNetworkingServiceStartupMode
+
+
+
+
+ 0
+ This setting determines whether the service's start type is Automaic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ Windows Settings~Security Settings~System Services
+ Xbox Live Networking Service
+ LastWrite
+
+
+
+
+ TaskScheduler
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EnableXboxGameSaveTask
+
+
+
+
+ 0
+ This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
LastWrite
@@ -57696,14 +66314,38 @@ The options are:
+
+ AllowHardwareKeyboardTextSuggestions
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ LowestValueMostSecure
+
+
AllowIMELogging
-
1
+
@@ -57727,8 +66369,8 @@ The options are:
-
1
+
@@ -57752,8 +66394,8 @@ The options are:
-
1
+
@@ -57777,8 +66419,8 @@ The options are:
-
1
+
@@ -57791,6 +66433,7 @@ The options are:
text/plain
+
phone
HighestValueMostSecure
@@ -57801,8 +66444,8 @@ The options are:
-
1
+
@@ -57826,8 +66469,8 @@ The options are:
-
1
+
@@ -57851,8 +66494,8 @@ The options are:
-
1
+
@@ -57876,8 +66519,8 @@ The options are:
-
1
+
@@ -57900,8 +66543,8 @@ The options are:
-
1
+
@@ -57916,6 +66559,60 @@ The options are:
phone
+ TextInput.admx
+ TextInput~AT~WindowsComponents~TextInput
+ AllowLanguageFeaturesUninstall
+ LowestValueMostSecure
+
+
+
+ AllowLinguisticDataCollection
+
+
+
+
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ TextInput.admx
+ TextInput~AT~WindowsComponents~TextInput
+ AllowLinguisticDataCollection
+ LowestValueMostSecure
+
+
+
+ EnableTouchKeyboardAutoInvokeInDesktopMode
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
LowestValueMostSecure
@@ -57925,8 +66622,8 @@ The options are:
-
0
+
@@ -57939,6 +66636,7 @@ The options are:
text/plain
+
HighestValueMostSecure
@@ -57948,8 +66646,8 @@ The options are:
-
0
+
@@ -57962,6 +66660,7 @@ The options are:
text/plain
+
phone
HighestValueMostSecure
@@ -57972,8 +66671,8 @@ The options are:
-
0
+
@@ -57986,10 +66685,203 @@ The options are:
text/plain
+
phone
HighestValueMostSecure
+
+ ForceTouchKeyboardDockedState
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardDictationButtonAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardEmojiButtonAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardFullModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardHandwritingModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardNarrowModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardSplitModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
+
+ TouchKeyboardWideModeAvailability
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ HighestValueMostSecure
+
+
TimeLanguageSettings
@@ -58016,8 +66908,8 @@ The options are:
-
0
+
@@ -58061,8 +66953,8 @@ The options are:
-
17
+
@@ -58075,6 +66967,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursEndTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHours
LastWrite
@@ -58084,8 +66981,8 @@ The options are:
-
18
+
@@ -58098,6 +66995,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursMaxRange
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHoursMaxRange
LastWrite
@@ -58107,8 +67009,8 @@ The options are:
-
8
+
@@ -58121,6 +67023,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ActiveHoursStartTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ ActiveHours
LastWrite
@@ -58130,8 +67037,8 @@ The options are:
-
2
+
@@ -58144,6 +67051,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateMode
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfg
LowestValueMostSecure
@@ -58153,8 +67065,8 @@ The options are:
-
0
+
@@ -58167,6 +67079,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AllowAutoWindowsUpdateDownloadOverMeteredNetwork
LastWrite
@@ -58176,8 +67092,8 @@ The options are:
-
0
+
@@ -58190,7 +67106,12 @@ The options are:
text/plain
+
phone
+ WindowsUpdate.admx
+ AllowMUUpdateServiceId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfg
LowestValueMostSecure
@@ -58200,8 +67121,8 @@ The options are:
-
1
+
@@ -58224,8 +67145,8 @@ The options are:
-
1
+
@@ -58239,6 +67160,9 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURL
LowestValueMostSecure
@@ -58248,8 +67172,8 @@ The options are:
-
7
+
@@ -58262,6 +67186,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartDeadline
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartDeadline
LastWrite
@@ -58271,8 +67200,8 @@ The options are:
-
15
+
@@ -58286,6 +67215,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ AutoRestartNotificationSchd
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartNotificationConfig
LastWrite
@@ -58295,8 +67228,8 @@ The options are:
-
1
+
@@ -58309,6 +67242,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartRequiredNotificationDismissal
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartRequiredNotificationDismissal
LastWrite
@@ -58318,8 +67256,8 @@ The options are:
-
16
+
@@ -58333,6 +67271,34 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ BranchReadinessLevelId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdates
+ LastWrite
+
+
+
+ ConfigureFeatureUpdateUninstallPeriod
+
+
+
+
+ 10
+ Enable enterprises/IT admin to configure feature update uninstall period
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
LastWrite
@@ -58342,8 +67308,8 @@ The options are:
-
0
+
@@ -58356,6 +67322,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferFeatureUpdatesPeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdates
LastWrite
@@ -58365,8 +67336,8 @@ The options are:
-
0
+
@@ -58379,6 +67350,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferQualityUpdatesPeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdates
LastWrite
@@ -58388,8 +67364,8 @@ The options are:
-
0
+
@@ -58402,6 +67378,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpdatePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgrade
LastWrite
@@ -58411,8 +67392,8 @@ The options are:
-
0
+
@@ -58425,6 +67406,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpgradePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgrade
LastWrite
@@ -58434,8 +67420,8 @@ The options are:
-
22
+
@@ -58448,6 +67434,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DetectionFrequency_Hour2
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DetectionFrequency_Title
LastWrite
@@ -58457,8 +67448,8 @@ The options are:
- Do not allow update deferral policies to cause scans against Windows Update
0
+ Do not allow update deferral policies to cause scans against Windows Update
@@ -58471,6 +67462,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DisableDualScan
LastWrite
@@ -58480,8 +67475,8 @@ The options are:
-
14
+
@@ -58494,6 +67489,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartDeadline
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionSchedule
LastWrite
@@ -58503,8 +67503,8 @@ The options are:
-
3
+
@@ -58517,6 +67517,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartSnoozeSchedule
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionSchedule
LastWrite
@@ -58526,8 +67531,8 @@ The options are:
-
7
+
@@ -58540,6 +67545,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ EngagedRestartTransitionSchedule
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ EngagedRestartTransitionSchedule
LastWrite
@@ -58549,8 +67559,8 @@ The options are:
-
0
+
@@ -58563,6 +67573,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ ExcludeWUDriversInQualityUpdate
LastWrite
@@ -58572,8 +67586,8 @@ The options are:
-
0
+
@@ -58586,6 +67600,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ CorpWUFillEmptyContentUrls
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURL
LastWrite
@@ -58595,8 +67614,8 @@ The options are:
-
0
+
@@ -58619,8 +67638,8 @@ The options are:
-
0
+
@@ -58643,8 +67662,8 @@ The options are:
-
3
+
@@ -58657,6 +67676,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ManagePreviewBuildsId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ ManagePreviewBuilds
LastWrite
@@ -58666,8 +67690,8 @@ The options are:
-
0
+
@@ -58680,6 +67704,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseDeferralsId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgrade
LastWrite
@@ -58689,8 +67718,8 @@ The options are:
-
0
+
@@ -58703,6 +67732,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseFeatureUpdatesId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdates
LastWrite
@@ -58712,8 +67746,8 @@ The options are:
-
+
@@ -58726,6 +67760,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ PauseFeatureUpdatesStartId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferFeatureUpdates
LastWrite
@@ -58735,8 +67773,8 @@ The options are:
-
0
+
@@ -58749,6 +67787,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ PauseQualityUpdatesId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdates
LastWrite
@@ -58758,8 +67801,8 @@ The options are:
-
+
@@ -58772,6 +67815,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ PauseQualityUpdatesStartId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat
+ DeferQualityUpdates
LastWrite
@@ -58781,8 +67828,8 @@ The options are:
-
4
+
@@ -58795,6 +67842,7 @@ The options are:
text/plain
+
LowestValueMostSecure
@@ -58804,8 +67852,8 @@ The options are:
-
0
+
@@ -58818,6 +67866,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ DeferUpgradePeriodId
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ DeferUpgrade
LastWrite
@@ -58827,8 +67880,8 @@ The options are:
-
0
+
@@ -58841,6 +67894,7 @@ The options are:
text/plain
+
HighestValueMostSecure
@@ -58850,8 +67904,8 @@ The options are:
-
0
+
@@ -58864,6 +67918,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchDay
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfg
LowestValueMostSecure
@@ -58873,8 +67932,8 @@ The options are:
-
1
+
@@ -58887,6 +67946,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchEveryWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfg
LowestValueMostSecure
@@ -58896,8 +67960,8 @@ The options are:
-
0
+
@@ -58910,6 +67974,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchFirstWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfg
LowestValueMostSecure
@@ -58919,8 +67988,8 @@ The options are:
-
0
+
@@ -58933,6 +68002,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallFourthWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfg
LowestValueMostSecure
@@ -58942,8 +68016,8 @@ The options are:
-
0
+
@@ -58956,6 +68030,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallSecondWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfg
LowestValueMostSecure
@@ -58965,8 +68044,8 @@ The options are:
-
0
+
@@ -58979,6 +68058,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ ScheduledInstallThirdWeek
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfg
LowestValueMostSecure
@@ -58988,8 +68072,8 @@ The options are:
-
3
+
@@ -59002,6 +68086,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoUpdateSchTime
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoUpdateCfg
LowestValueMostSecure
@@ -59011,8 +68100,8 @@ The options are:
-
15
+
@@ -59026,6 +68115,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ RestartWarn
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ RestartWarnRemind
LastWrite
@@ -59035,8 +68128,8 @@ The options are:
-
4
+
@@ -59050,6 +68143,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ RestartWarnRemind
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ RestartWarnRemind
LastWrite
@@ -59059,8 +68156,8 @@ The options are:
-
0
+
@@ -59073,6 +68170,11 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ AutoRestartNotificationSchd
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ AutoRestartNotificationDisable
LastWrite
@@ -59082,8 +68184,8 @@ The options are:
-
0
+
@@ -59096,6 +68198,10 @@ The options are:
text/plain
+
+ WindowsUpdate.admx
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ SetEDURestart
LastWrite
@@ -59105,8 +68211,8 @@ The options are:
-
CorpWSUS
+
@@ -59119,6 +68225,10 @@ The options are:
text/plain
+ WindowsUpdate.admx
+ CorpWUURL_Name
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURL
LastWrite
@@ -59128,8 +68238,8 @@ The options are:
-
+
@@ -59143,10 +68253,821 @@ The options are:
text/plain
phone
+ WindowsUpdate.admx
+ CorpWUContentHost_Name
+ WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat
+ CorpWuURL
LastWrite
+
+ UserRights
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AccessCredentialManagerAsTrustedCaller
+
+
+
+
+
+ This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Access Credential Manager ase a trusted caller
+ LastWrite
+ 0xF000
+
+
+
+ AccessFromNetwork
+
+
+
+
+
+ This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Access this computer from the network
+ LastWrite
+ 0xF000
+
+
+
+ ActAsPartOfTheOperatingSystem
+
+
+
+
+
+ This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Act as part of the operating system
+ LastWrite
+ 0xF000
+
+
+
+ AllowLocalLogOn
+
+
+
+
+
+ This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Allow log on locally
+ LastWrite
+ 0xF000
+
+
+
+ BackupFilesAndDirectories
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Back up files and directories
+ LastWrite
+ 0xF000
+
+
+
+ ChangeSystemTime
+
+
+
+
+
+ This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Change the system time
+ LastWrite
+ 0xF000
+
+
+
+ CreateGlobalObjects
+
+
+
+
+
+ This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create global objects
+ LastWrite
+ 0xF000
+
+
+
+ CreatePageFile
+
+
+
+
+
+ This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create a pagefile
+ LastWrite
+ 0xF000
+
+
+
+ CreatePermanentSharedObjects
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create permanent shared objects
+ LastWrite
+ 0xF000
+
+
+
+ CreateSymbolicLinks
+
+
+
+
+
+ This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create symbolic links
+ LastWrite
+ 0xF000
+
+
+
+ CreateToken
+
+
+
+
+
+ This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Create a token object
+ LastWrite
+ 0xF000
+
+
+
+ DebugPrograms
+
+
+
+
+
+ This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Debug programs
+ LastWrite
+ 0xF000
+
+
+
+ DenyAccessFromNetwork
+
+
+
+
+
+ This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny access to this computer from the network
+ LastWrite
+ 0xF000
+
+
+
+ DenyLocalLogOn
+
+
+
+
+
+ This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny log on as a service
+ LastWrite
+ 0xF000
+
+
+
+ DenyRemoteDesktopServicesLogOn
+
+
+
+
+
+ This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Deny log on through Remote Desktop Services
+ LastWrite
+ 0xF000
+
+
+
+ EnableDelegation
+
+
+
+
+
+ This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Enable computer and user accounts to be trusted for delegation
+ LastWrite
+ 0xF000
+
+
+
+ GenerateSecurityAudits
+
+
+
+
+
+ This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Generate security audits
+ LastWrite
+ 0xF000
+
+
+
+ ImpersonateClient
+
+
+
+
+
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+1) The access token that is being impersonated is for this user.
+2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
+3) The requested level is less than Impersonate, such as Anonymous or Identify.
+Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Impersonate a client after authentication
+ LastWrite
+ 0xF000
+
+
+
+ IncreaseSchedulingPriority
+
+
+
+
+
+ This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Increase scheduling priority
+ LastWrite
+ 0xF000
+
+
+
+ LoadUnloadDeviceDrivers
+
+
+
+
+
+ This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Load and unload device drivers
+ LastWrite
+ 0xF000
+
+
+
+ LockMemory
+
+
+
+
+
+ This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Lock pages in memory
+ LastWrite
+ 0xF000
+
+
+
+ ManageAuditingAndSecurityLog
+
+
+
+
+
+ This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Manage auditing and security log
+ LastWrite
+ 0xF000
+
+
+
+ ManageVolume
+
+
+
+
+
+ This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Perform volume maintenance tasks
+ LastWrite
+ 0xF000
+
+
+
+ ModifyFirmwareEnvironment
+
+
+
+
+
+ This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Modify firmware environment values
+ LastWrite
+ 0xF000
+
+
+
+ ModifyObjectLabel
+
+
+
+
+
+ This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Modify an object label
+ LastWrite
+ 0xF000
+
+
+
+ ProfileSingleProcess
+
+
+
+
+
+ This user right determines which users can use performance monitoring tools to monitor the performance of system processes.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Profile single process
+ LastWrite
+ 0xF000
+
+
+
+ RemoteShutdown
+
+
+
+
+
+ This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Force shutdown from a remote system
+ LastWrite
+ 0xF000
+
+
+
+ RestoreFilesAndDirectories
+
+
+
+
+
+ This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Restore files and directories
+ LastWrite
+ 0xF000
+
+
+
+ TakeOwnership
+
+
+
+
+
+ This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ Windows Settings~Security Settings~Local Policies~User Rights Assignment
+ Take ownership of files or other objects
+ LastWrite
+ 0xF000
+
+
+
Wifi
@@ -59172,8 +69093,8 @@ The options are:
-
1
+
@@ -59187,6 +69108,9 @@ The options are:
text/plain
+ wlansvc.admx
+ wlansvc~AT~Network~WlanSvc_Category~WlanSettings_Category
+ WiFiSense
LowestValueMostSecure
@@ -59196,8 +69120,8 @@ The options are:
-
1
+
@@ -59211,6 +69135,9 @@ The options are:
text/plain
+ NetworkConnections.admx
+ NetworkConnections~AT~Network~NetworkConnections
+ NC_ShowSharedAccessUI
LowestValueMostSecure
@@ -59220,8 +69147,8 @@ The options are:
-
1
+
@@ -59244,8 +69171,8 @@ The options are:
-
1
+
@@ -59268,8 +69195,8 @@ The options are:
-
1
+
@@ -59292,8 +69219,8 @@ The options are:
-
0
+
@@ -59306,10 +69233,58 @@ The options are:
text/plain
+
HighestValueMostSecureZeroHasNoLimits
+
+ WindowsConnectionManager
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ WCM.admx
+ WCM~AT~Network~WCM_Category
+ WCM_BlockNonDomain
+ LastWrite
+
+
+
WindowsDefenderSecurityCenter
@@ -59335,8 +69310,8 @@ The options are:
-
+
@@ -59350,6 +69325,38 @@ The options are:
text/plain
phone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_CompanyName
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_CompanyName
+ LastWrite
+
+
+
+ DisableAccountProtectionUI
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AccountProtection
+ AccountProtection_UILockdown
LastWrite
@@ -59359,8 +69366,8 @@ The options are:
-
0
+
@@ -59373,7 +69380,39 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection
+ AppBrowserProtection_UILockdown
+ LastWrite
+
+
+
+ DisableDeviceSecurityUI
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_UILockdown
LastWrite
@@ -59383,8 +69422,8 @@ The options are:
-
0
+
@@ -59397,7 +69436,11 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications
+ Notifications_DisableEnhancedNotifications
LastWrite
@@ -59407,8 +69450,8 @@ The options are:
-
0
+
@@ -59421,7 +69464,11 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FamilyOptions
+ FamilyOptions_UILockdown
LastWrite
@@ -59431,8 +69478,8 @@ The options are:
-
0
+
@@ -59445,7 +69492,11 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DevicePerformanceHealth
+ DevicePerformanceHealth_UILockdown
LastWrite
@@ -59455,8 +69506,8 @@ The options are:
-
0
+
@@ -59469,7 +69520,11 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FirewallNetworkProtection
+ FirewallNetworkProtection_UILockdown
LastWrite
@@ -59479,8 +69534,8 @@ The options are:
-
0
+
@@ -59493,7 +69548,11 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications
+ Notifications_DisableNotifications
LastWrite
@@ -59503,8 +69562,8 @@ The options are:
-
0
+
@@ -59517,7 +69576,11 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection
+ VirusThreatProtection_UILockdown
LastWrite
@@ -59527,8 +69590,8 @@ The options are:
-
0
+
@@ -59541,7 +69604,11 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection
+ AppBrowserProtection_DisallowExploitProtectionOverride
LastWrite
@@ -59551,8 +69618,8 @@ The options are:
-
+
@@ -59566,6 +69633,10 @@ The options are:
text/plain
phone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_Email
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_Email
LastWrite
@@ -59575,8 +69646,8 @@ The options are:
-
0
+
@@ -59589,7 +69660,11 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EnableCustomizedToasts
LastWrite
@@ -59599,8 +69674,8 @@ The options are:
-
0
+
@@ -59613,7 +69688,95 @@ The options are:
text/plain
+
phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_EnableInAppCustomization
+ LastWrite
+
+
+
+ HideRansomwareDataRecovery
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection
+ VirusThreatProtection_HideRansomwareRecovery
+ LastWrite
+
+
+
+ HideSecureBoot
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_HideSecureBoot
+ LastWrite
+
+
+
+ HideTPMTroubleshooting
+
+
+
+
+ 0
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+ phone
+ WindowsDefenderSecurityCenter.admx
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity
+ DeviceSecurity_HideTPMTroubleshooting
LastWrite
@@ -59623,8 +69786,8 @@ The options are:
-
+
@@ -59638,6 +69801,10 @@ The options are:
text/plain
phone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_Phone
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_Phone
LastWrite
@@ -59647,8 +69814,8 @@ The options are:
-
+
@@ -59662,6 +69829,10 @@ The options are:
text/plain
phone
+ WindowsDefenderSecurityCenter.admx
+ Presentation_EnterpriseCustomization_URL
+ WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization
+ EnterpriseCustomization_URL
LastWrite
@@ -59691,8 +69862,8 @@ The options are:
-
1
+
@@ -59707,6 +69878,9 @@ The options are:
phone
+ WindowsInkWorkspace.admx
+ WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace
+ AllowSuggestedAppsInWindowsInkWorkspace
LowestValueMostSecure
@@ -59716,8 +69890,8 @@ The options are:
-
2
+
@@ -59730,7 +69904,12 @@ The options are:
text/plain
+
phone
+ WindowsInkWorkspace.admx
+ AllowWindowsInkWorkspaceDropdown
+ WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace
+ AllowWindowsInkWorkspace
LowestValueMostSecure
@@ -59760,8 +69939,8 @@ The options are:
-
+
@@ -59787,8 +69966,8 @@ The options are:
-
+
@@ -59808,14 +69987,41 @@ The options are:
LastWrite
+
+ EnumerateLocalUsersOnDomainJoinedComputers
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ logon.admx
+ Logon~AT~System~Logon
+ EnumerateLocalUsers
+ LastWrite
+
+
HideFastUserSwitching
- This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.
0
+ This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.
@@ -59829,9 +70035,86 @@ The options are:
text/plain
+ Logon.admx
+ Logon~AT~System~Logon
+ HideFastUserSwitching
HighestValueMostSecure
+
+ SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ WinLogon.admx
+ WinLogon~AT~WindowsComponents~Logon
+ AutomaticRestartSignOn
+ LastWrite
+
+
+
+
+ WindowsPowerShell
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TurnOnPowerShellScriptBlockLogging
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+ phone
+ PowerShellExecutionPolicy.admx
+ PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell
+ EnableScriptBlockLogging
+ LastWrite
+
+
WirelessDisplay
@@ -59858,8 +70141,8 @@ The options are:
- This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.
1
+ This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.
@@ -59882,8 +70165,8 @@ The options are:
- This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.
1
+ This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver.
@@ -59906,10 +70189,10 @@ The options are:
+ 1
This policy allows you to turn off projection from a PC.
If you set it to 0, your PC cannot discover or project to other devices.
If you set it to 1, your PC can discover and project to other devices.
- 1
@@ -59932,10 +70215,10 @@ The options are:
+ 1
This policy allows you to turn off projection from a PC over infrastructure.
If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct.
If you set it to 1, your PC can discover and project to other devices over infrastructure.
- 1
@@ -59958,10 +70241,10 @@ The options are:
+ 1
This policy setting allows you to turn off projection to a PC
If you set it to 0, your PC isn't discoverable and can't be projected to
If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too.
- 1
@@ -59976,6 +70259,9 @@ The options are:
phone
+ WirelessDisplay.admx
+ WirelessDisplay~AT~WindowsComponents~Connect
+ AllowProjectionToPC
LowestValueMostSecure
@@ -59985,10 +70271,10 @@ The options are:
+ 1
This policy setting allows you to turn off projection to a PC over infrastructure.
If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct.
If you set it to 1, your PC can be discoverable and can be projected to over infrastructure.
- 1
@@ -60011,8 +70297,8 @@ The options are:
-
1
+
@@ -60035,10 +70321,10 @@ The options are:
+ 0
This policy setting allows you to require a pin for pairing.
If you turn this on, the pairing ceremony for new devices will always require a PIN
If you turn it off or don't configure it, a pin isn't required for pairing.
- 0
@@ -60052,6 +70338,9 @@ The options are:
text/plain
+ WirelessDisplay.admx
+ WirelessDisplay~AT~WindowsComponents~Connect
+ RequirePinForPairing
LowestValueMostSecure