diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 9f1639a0ed..1b914b6115 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -1,106 +1,105 @@ --- -title: Policy CSP - ExploitGuard -description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization. +title: ExploitGuard Policy CSP +description: Learn more about the ExploitGuard Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/30/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - ExploitGuard -
+ + + - -## ExploitGuard policies + +## ExploitProtectionSettings -
-
- ExploitGuard/ExploitProtectionSettings -
-
- -
- - -**ExploitGuard/ExploitProtectionSettings** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/microsoft-365/security/defender-endpoint/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). - -The system settings require a reboot; the application settings do not require a reboot. - - - -ADMX Info: -- GP Friendly name: *Use a common set of exploit protection settings* -- GP name: *ExploitProtection_Name* -- GP element: *ExploitProtection_Name* -- GP path: *Windows Components/Windows Defender Exploit Guard/Exploit Protection* -- GP ADMX file name: *ExploitGuard.admx* - - - -Here is an example: - -```xml - - - - - $CmdId$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings - - ]]> - - - - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + +```Device +./Device/Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings ``` + - - -
+ + +Specify a common set of Microsoft Defender Exploit Guard system and application mitigation settings that can be applied to all endpoints that have this GP setting configured. +There are some prerequisites before you can enable this setting: +- Manually configure a device's system and application mitigation settings using the Set-ProcessMitigation PowerShell cmdlet, the ConvertTo-ProcessMitigationPolicy PowerShell cmdlet, or directly in Windows Security. +- Generate an XML file with the settings from the device by running the Get-ProcessMitigation PowerShell cmdlet or using the Export button at the bottom of the Exploit Protection area in Windows Security. +- Place the generated XML file in a shared or local path. - +Note: Endpoints that have this GP setting set to Enabled must be able to access the XML file, otherwise the settings will not be applied. -## Related topics +Enabled +Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following: +- C:\MitigationSettings\Config.XML +- \\Server\Share\Config.xml +- https://localhost:8080/Config.xml -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +The settings in the XML file will be applied to the endpoint. + +Disabled +Common settings will not be applied, and the locally configured settings will be used instead. + +Not configured +Same as Disabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | ExploitProtection_Name | +| Friendly Name | Use a common set of exploit protection settings | +| Element Name | Type the location (local path, UNC path, or URL) of the mitigation settings configuration XML file | +| Location | Computer Configuration | +| Path | Windows Components > Microsoft Defender Exploit Guard > Exploit Protection | +| Registry Key Name | Software\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection | +| ADMX File Name | ExploitGuard.admx | + + + + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md index fd8823c506..61935e9c1c 100644 --- a/windows/client-management/mdm/policy-csp-federatedauthentication.md +++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md @@ -1,81 +1,83 @@ --- -title: Policy CSP - FederatedAuthentication -description: Use the Policy CSP - Represents the enablement state of the Web Sign-in Credential Provider for device sign-in. -ms.author: v-nsatapathy -ms.topic: article +title: FederatedAuthentication Policy CSP +description: Learn more about the FederatedAuthentication Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz +ms.author: vinpa +ms.date: 12/30/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: nimishasatapathy -ms.localizationpriority: medium -ms.date: 09/07/2022 -ms.reviewer: -manager: dansimp +ms.topic: reference --- + + + # Policy CSP - FederatedAuthentication + + + -
+ +## EnableWebSignInForPrimaryUser - -## FederatedAuthentication policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + -
-
- FederatedAuthentication/EnableWebSignInForPrimaryUser -
-
+ +```Device +./Device/Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser +``` + + + +Specifies whether web-based sign-in is enabled with the Primary User experience + -
- - -**FederatedAuthentication/EnableWebSignInForPrimaryUser** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| -|Windows SE|Yes|No| - -> [!NOTE] -> Only available on Windows SE edition when Education/IsEducationEnvironment policy is also set to "1". - - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
- - - -This policy specifies whether Web Sign-in can be used for device sign-in in a single-user environment.​ - + + > [!NOTE] > Web Sign-in is only supported on Azure AD Joined PCs. + - + +**Description framework properties**: - -Value type is integer: -- 0 - (default): Feature defaults as appropriate for edition and device capabilities. -- 1 - Enabled: Web Sign-in Credential Provider will be enabled for device sign-in. -- 2 - Disabled: Web Sign-in Credential Provider won't be enabled for device sign-in. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - +| Value | Description | +|:--|:--| +| 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. | +| 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. | +| 2 | Disabled. Web Sign-in Credential Provider will be not be enabled for device sign-in. | + - + + + + + + + + + + + +## Related articles + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index e4dfc521d7..31e6019835 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -1,416 +1,435 @@ --- -title: Policy CSP - FileExplorer -description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer. +title: FileExplorer Policy CSP +description: Learn more about the FileExplorer Area in Policy CSP +author: vinaypamnani-msft +manager: aaroncz ms.author: vinpa -ms.topic: article +ms.date: 12/30/2022 +ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: aaroncz +ms.topic: reference --- + + + # Policy CSP - FileExplorer > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + + -
+ +## AllowOptionToShowNetwork - -## FileExplorer policies + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -
-
- FileExplorer/AllowOptionToShowNetwork -
-
- FileExplorer/AllowOptionToShowThisPC -
-
- FileExplorer/TurnOffDataExecutionPreventionForExplorer -
-
- FileExplorer/TurnOffHeapTerminationOnCorruption -
-
- FileExplorer/SetAllowedFolderLocations -
-
- FileExplorer/SetAllowedStorageLocations -
-
- FileExplorer/DisableGraphRecentItems -
-
+ +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowNetwork +``` +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowNetwork +``` + + + +When the Network folder is restricted, give the user the option to enumerate and navigate into it. + -
+ + + - -**FileExplorer/AllowOptionToShowNetwork** + +**Description framework properties**: - +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +**Allowed values**: - -
+| Value | Description | +|:--|:--| +| 0 (Default) | Not Allowed. | +| 1 | Allowed. | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + -
+ +## AllowOptionToShowThisPC - - + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + -This policy allows the user with an option to show the network folder when restricted. + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowThisPC +``` - +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowThisPC +``` + - -The following list shows the supported values: + + +When This PC location is restricted, give the user the option to enumerate and navigate into it. + -- 0 - Disabled -- 1 (default) - Enabled + + + - + +**Description framework properties**: - -ADMX Info: -- GP Friendly name: *Allow the user the option to show Network folder when restricted* -- GP name: *AllowOptionToShowNetwork* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: -
+| Value | Description | +|:--|:--| +| 0 (Default) | Not Allowed. | +| 1 | Allowed. | + - -**FileExplorer/AllowOptionToShowThisPC** + + + - + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + +## DisableGraphRecentItems - -
+ +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/DisableGraphRecentItems +``` + -> [!div class = "checklist"] -> * User + + +Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view. + -
+ + + - - + +**Description framework properties**: -This policy allows the user with an option to show this PC location when restricted. +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - + +**Allowed values**: - -The following list shows the supported values: +| Value | Description | +|:--|:--| +| 0 (Default) | File Explorer will request cloud file metadata and display it in the Quick access view. | +| 1 | File Explorer will not request cloud file metadata or display it in the Quick access view. | + -- 0 - Disabled -- 1 (default) - Enabled + +**Group policy mapping**: - +| Name | Value | +|:--|:--| +| Name | DisableGraphRecentItems | +| Friendly Name | Turn off files from Office.com in Quick access view | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | DisableGraphRecentItems | +| ADMX File Name | Explorer.admx | + - -ADMX Info: -- GP Friendly name: *Allow the user the option to show Network folder when restricted* -- GP name: *AllowOptionToShowThisPC* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* + + + - - + -
+ +## SetAllowedFolderLocations - -**FileExplorer/TurnOffDataExecutionPreventionForExplorer** + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + - + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations +``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations +``` + - -
+ + +A value that can represent one or more folder locations in File Explorer. If not specified, the default is access to all folder locations. + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + + + -> [!div class = "checklist"] -> * Device + +**Description framework properties**: -
+| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + - - + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Access to all folder locations. | +| 13 | Documents, Pictures, Downloads | +| 15 | Desktop, Documents, Pictures, Downloads | +| 31 | Desktop, Documents, Pictures, Downloads, Network | +| 47 | This PC, Desktop, Documents, Pictures, Downloads | +| 63 | This PC, Desktop, Documents, Pictures, Downloads, Network | + + + + + + + + + +## SetAllowedStorageLocations + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | + + + +```User +./User/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedStorageLocations +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedStorageLocations +``` + + + + +A value that can represent one or more storage locations in File Explorer. If not specified, the default is access to all storage locations. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Access to all storage locations. | +| 1 | Removable Drives | +| 2 | Sync roots | +| 3 | Removable Drives, Sync roots | +| 4 | Local Drives | +| 5 | Removable Drives, Local Drives | +| 6 | Sync Roots, Local Drives | +| 7 | Removable Drives, Sync Roots, Local Drives | + + + + + + + + + +## TurnOffDataExecutionPreventionForExplorer + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/TurnOffDataExecutionPreventionForExplorer +``` + + + + Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off Data Execution Prevention for Explorer* -- GP name: *NoDataExecutionPrevention* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* + +**Description framework properties**: - - +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + -
+ +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -**FileExplorer/TurnOffHeapTerminationOnCorruption** +**ADMX mapping**: - +| Name | Value | +|:--|:--| +| Name | NoDataExecutionPrevention | +| Friendly Name | Turn off Data Execution Prevention for Explorer | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoDataExecutionPrevention | +| ADMX File Name | Explorer.admx | + -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| + + + - -
+ - -[Scope](./policy-configuration-service-provider.md#policy-scope): + +## TurnOffHeapTerminationOnCorruption -> [!div class = "checklist"] -> * Device + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later | + -
+ +```Device +./Device/Vendor/MSFT/Policy/Config/FileExplorer/TurnOffHeapTerminationOnCorruption +``` + - - + + Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. + - + + + - -ADMX Info: -- GP Friendly name: *Turn off heap termination on corruption* -- GP name: *NoHeapTerminationOnCorruption* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* + +**Description framework properties**: - - -
+| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + - -**FileExplorer/SetAllowedFolderLocations** + +> [!TIP] +> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +**ADMX mapping**: -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +| Name | Value | +|:--|:--| +| Name | NoHeapTerminationOnCorruption | +| Friendly Name | Turn off heap termination on corruption | +| Location | Computer Configuration | +| Path | WindowsComponents > File Explorer | +| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer | +| Registry Value Name | NoHeapTerminationOnCorruption | +| ADMX File Name | Explorer.admx | + - -
+ + + - -[Scope](./policy-configuration-service-provider.md#policy-scope): + -> [!div class = "checklist"] -> * User + + + -
+ - - - - -This policy configures the folders that the user can enumerate and access in the File Explorer. - - - - -The following list shows the supported values: - -- 0: All folders -- 15: Desktop, Documents, Pictures, and Downloads -- 31: Desktop, Documents, Pictures, Downloads, and Network -- 47: This PC (local drive), [Desktop, Documents, Pictures], and Downloads -- 63: This PC, [Desktop, Documents, Pictures], Downloads, and Network - - - - -ADMX Info: -- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* -- GP name: *SetAllowedFolderLocations* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* - - - - -
- - -**FileExplorer/SetAllowedStorageLocations** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - - - -This policy configures the folders that the user can enumerate and access in the File Explorer. - - - - -The following list shows the supported values: - -- 0: All storage locations -- 1: Removable Drives -- 2: Sync roots -- 3: Removable Drives, Sync roots, local drive - - - - -ADMX Info: -- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* -- GP name: *SetAllowedStorageLocations* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* - - - - -
- - -**FileExplorer/DisableGraphRecentItems** - - - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| -|Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| - - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - - - -This policy changes whether files from Office.com will be shown in the Recents and Favorites sections on the Home node (previously known as Quick Access) in File Explorer. - - - - -The following list shows the supported values: - -- 0: Files from Office.com will display in the Home node -- 1: No files from Office.com will be retrieved or displayed - - - - -ADMX Info: -- GP Friendly name: *Turn off files from Office.com in Quick access view* -- GP name: *DisableGraphRecentItems* -- GP path: *File Explorer* -- GP ADMX file name: *Explorer.admx* - - - - -
- - - - -## Related topics +## Related articles [Policy configuration service provider](policy-configuration-service-provider.md)