deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

exploitguard federatedauthentication fileexplorer

Browse Source
This commit is contained in:
Liz Long 2022-12-30 16:37:14 -05:00
parent 141f6913c5
commit 192c548ef5
3 changed files with 501 additions and 481 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

175
windows/client-management/mdm/policy-csp-exploitguard.md
View File

File diff suppressed because one or more lines are too long

124
windows/client-management/mdm/policy-csp-federatedauthentication.md
View File

@ -1,81 +1,83 @@
---
title: Policy CSP - FederatedAuthentication
description: Use the Policy CSP - Represents the enablement state of the Web Sign-in Credential Provider for device sign-in.
ms.author: v-nsatapathy
ms.topic: article
title: FederatedAuthentication Policy CSP
description: Learn more about the FederatedAuthentication Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 12/30/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: nimishasatapathy
ms.localizationpriority: medium
ms.date: 09/07/2022
ms.reviewer:
manager: dansimp
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- FederatedAuthentication-Begin -->
# Policy CSP - FederatedAuthentication
<!-- FederatedAuthentication-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- FederatedAuthentication-Editable-End -->
<hr/>
<!-- EnableWebSignInForPrimaryUser-Begin -->
## EnableWebSignInForPrimaryUser
<!--Policies-->
## FederatedAuthentication policies
<!-- EnableWebSignInForPrimaryUser-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableWebSignInForPrimaryUser-Applicability-End -->
<dl>
<dd>
<a href="#federatedauthentication-enablewebsigninforprimaryuser">FederatedAuthentication/EnableWebSignInForPrimaryUser</a>
</dd>
</dl>
<!-- EnableWebSignInForPrimaryUser-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser
```
<!-- EnableWebSignInForPrimaryUser-OmaUri-End -->
<!-- EnableWebSignInForPrimaryUser-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies whether web-based sign-in is enabled with the Primary User experience
<!-- EnableWebSignInForPrimaryUser-Description-End -->
<hr/>
<!--Policy-->
<a href="" id="federatedauthentication-enablewebsigninforprimaryuser"></a>**FederatedAuthentication/EnableWebSignInForPrimaryUser**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|No|
|Education|No|No|
|Windows SE|Yes|No|
> [!NOTE]
> Only available on Windows SE edition when Education/IsEducationEnvironment policy is also set to "1".
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether Web Sign-in can be used for device sign-in in a single-user environment.
<!-- EnableWebSignInForPrimaryUser-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Web Sign-in is only supported on Azure AD Joined PCs.
<!-- EnableWebSignInForPrimaryUser-Editable-End -->
<!--/Description-->
<!-- EnableWebSignInForPrimaryUser-DFProperties-Begin -->
**Description framework properties**:
<!--SupportedValues-->
Value type is integer:
- 0 - (default): Feature defaults as appropriate for edition and device capabilities.
- 1 - Enabled: Web Sign-in Credential Provider will be enabled for device sign-in.
- 2 - Disabled: Web Sign-in Credential Provider won't be enabled for device sign-in.
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnableWebSignInForPrimaryUser-DFProperties-End -->
<!--/SupportedValues-->
<!-- EnableWebSignInForPrimaryUser-AllowedValues-Begin -->
**Allowed values**:
<!--/Policy-->
| Value | Description |
|:--|:--|
| 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. |
| 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. |
| 2 | Disabled. Web Sign-in Credential Provider will be not be enabled for device sign-in. |
<!-- EnableWebSignInForPrimaryUser-AllowedValues-End -->
<!--/Policies-->
<!-- EnableWebSignInForPrimaryUser-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableWebSignInForPrimaryUser-Examples-End -->
<!-- EnableWebSignInForPrimaryUser-End -->
<!-- FederatedAuthentication-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- FederatedAuthentication-CspMoreInfo-End -->
<!-- FederatedAuthentication-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

681
windows/client-management/mdm/policy-csp-fileexplorer.md
View File

@ -1,416 +1,435 @@
---
title: Policy CSP - FileExplorer
description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer.
title: FileExplorer Policy CSP
description: Learn more about the FileExplorer Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.date: 12/30/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- FileExplorer-Begin -->
# Policy CSP - FileExplorer
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- FileExplorer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- FileExplorer-Editable-End -->
<hr/>
<!-- AllowOptionToShowNetwork-Begin -->
## AllowOptionToShowNetwork
<!--Policies-->
## FileExplorer policies
<!-- AllowOptionToShowNetwork-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowOptionToShowNetwork-Applicability-End -->
<dl>
<dd>
<a href="#fileexplorer-allowoptiontoshownetwork">FileExplorer/AllowOptionToShowNetwork</a>
</dd>
<dd>
<a href="#fileexplorer-allowoptiontoshowthispc">FileExplorer/AllowOptionToShowThisPC</a>
</dd>
<dd>
<a href="#fileexplorer-turnoffdataexecutionpreventionforexplorer">FileExplorer/TurnOffDataExecutionPreventionForExplorer</a>
</dd>
<dd>
<a href="#fileexplorer-turnoffheapterminationoncorruption">FileExplorer/TurnOffHeapTerminationOnCorruption</a>
</dd>
<dd>
<a href="#fileexplorer-setallowedfolderlocations">FileExplorer/SetAllowedFolderLocations</a>
</dd>
<dd>
<a href="#fileexplorer-setallowedstoragelocations">FileExplorer/SetAllowedStorageLocations</a>
</dd>
<dd>
<a href="#fileexplorer-disablegraphrecentitems">FileExplorer/DisableGraphRecentItems</a>
</dd>
</dl>
<!-- AllowOptionToShowNetwork-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowNetwork
```
```Device
./Device/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowNetwork
```
<!-- AllowOptionToShowNetwork-OmaUri-End -->
<!-- AllowOptionToShowNetwork-Description-Begin -->
<!-- Description-Source-DDF -->
When the Network folder is restricted, give the user the option to enumerate and navigate into it.
<!-- AllowOptionToShowNetwork-Description-End -->
<hr/>
<!-- AllowOptionToShowNetwork-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowOptionToShowNetwork-Editable-End -->
<!--Policy-->
<a href="" id="fileexplorer-allowoptiontoshownetwork"></a>**FileExplorer/AllowOptionToShowNetwork**
<!-- AllowOptionToShowNetwork-DFProperties-Begin -->
**Description framework properties**:
<!--SupportedSKUs-->
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowOptionToShowNetwork-DFProperties-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- AllowOptionToShowNetwork-AllowedValues-Begin -->
**Allowed values**:
<!--/SupportedSKUs-->
<hr/>
| Value | Description |
|:--|:--|
| 0 (Default) | Not Allowed. |
| 1 | Allowed. |
<!-- AllowOptionToShowNetwork-AllowedValues-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- AllowOptionToShowNetwork-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowOptionToShowNetwork-Examples-End -->
> [!div class = "checklist"]
> * Device
<!-- AllowOptionToShowNetwork-End -->
<hr/>
<!-- AllowOptionToShowThisPC-Begin -->
## AllowOptionToShowThisPC
<!--/Scope-->
<!--Description-->
<!-- AllowOptionToShowThisPC-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- AllowOptionToShowThisPC-Applicability-End -->
This policy allows the user with an option to show the network folder when restricted.
<!-- AllowOptionToShowThisPC-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowThisPC
```
<!--/Description-->
```Device
./Device/Vendor/MSFT/Policy/Config/FileExplorer/AllowOptionToShowThisPC
```
<!-- AllowOptionToShowThisPC-OmaUri-End -->
<!--SupportedValues-->
The following list shows the supported values:
<!-- AllowOptionToShowThisPC-Description-Begin -->
<!-- Description-Source-DDF -->
When This PC location is restricted, give the user the option to enumerate and navigate into it.
<!-- AllowOptionToShowThisPC-Description-End -->
- 0 - Disabled
- 1 (default) - Enabled
<!-- AllowOptionToShowThisPC-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowOptionToShowThisPC-Editable-End -->
<!--/SupportedValues-->
<!-- AllowOptionToShowThisPC-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow the user the option to show Network folder when restricted*
- GP name: *AllowOptionToShowNetwork*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowOptionToShowThisPC-DFProperties-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<!-- AllowOptionToShowThisPC-AllowedValues-Begin -->
**Allowed values**:
<hr/>
| Value | Description |
|:--|:--|
| 0 (Default) | Not Allowed. |
| 1 | Allowed. |
<!-- AllowOptionToShowThisPC-AllowedValues-End -->
<!--Policy-->
<a href="" id="fileexplorer-allowoptiontoshowthispc"></a>**FileExplorer/AllowOptionToShowThisPC**
<!-- AllowOptionToShowThisPC-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowOptionToShowThisPC-Examples-End -->
<!--SupportedSKUs-->
<!-- AllowOptionToShowThisPC-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- DisableGraphRecentItems-Begin -->
## DisableGraphRecentItems
<!--/SupportedSKUs-->
<hr/>
<!-- DisableGraphRecentItems-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
<!-- DisableGraphRecentItems-Applicability-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- DisableGraphRecentItems-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/FileExplorer/DisableGraphRecentItems
```
<!-- DisableGraphRecentItems-OmaUri-End -->
> [!div class = "checklist"]
> * User
<!-- DisableGraphRecentItems-Description-Begin -->
<!-- Description-Source-ADMX -->
Turning off files from Office.com will prevent File Explorer from requesting recent cloud file metadata and displaying it in the Quick access view.
<!-- DisableGraphRecentItems-Description-End -->
<hr/>
<!-- DisableGraphRecentItems-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableGraphRecentItems-Editable-End -->
<!--/Scope-->
<!--Description-->
<!-- DisableGraphRecentItems-DFProperties-Begin -->
**Description framework properties**:
This policy allows the user with an option to show this PC location when restricted.
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableGraphRecentItems-DFProperties-End -->
<!--/Description-->
<!-- DisableGraphRecentItems-AllowedValues-Begin -->
**Allowed values**:
<!--SupportedValues-->
The following list shows the supported values:
| Value | Description |
|:--|:--|
| 0 (Default) | File Explorer will request cloud file metadata and display it in the Quick access view. |
| 1 | File Explorer will not request cloud file metadata or display it in the Quick access view. |
<!-- DisableGraphRecentItems-AllowedValues-End -->
- 0 - Disabled
- 1 (default) - Enabled
<!-- DisableGraphRecentItems-GpMapping-Begin -->
**Group policy mapping**:
<!--/SupportedValues-->
| Name | Value |
|:--|:--|
| Name | DisableGraphRecentItems |
| Friendly Name | Turn off files from Office.com in Quick access view |
| Location | Computer Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | DisableGraphRecentItems |
| ADMX File Name | Explorer.admx |
<!-- DisableGraphRecentItems-GpMapping-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow the user the option to show Network folder when restricted*
- GP name: *AllowOptionToShowThisPC*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!-- DisableGraphRecentItems-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableGraphRecentItems-Examples-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<!-- DisableGraphRecentItems-End -->
<hr/>
<!-- SetAllowedFolderLocations-Begin -->
## SetAllowedFolderLocations
<!--Policy-->
<a href="" id="fileexplorer-turnoffdataexecutionpreventionforexplorer"></a>**FileExplorer/TurnOffDataExecutionPreventionForExplorer**
<!-- SetAllowedFolderLocations-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- SetAllowedFolderLocations-Applicability-End -->
<!--SupportedSKUs-->
<!-- SetAllowedFolderLocations-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations
```
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
```Device
./Device/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedFolderLocations
```
<!-- SetAllowedFolderLocations-OmaUri-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- SetAllowedFolderLocations-Description-Begin -->
<!-- Description-Source-DDF -->
A value that can represent one or more folder locations in File Explorer. If not specified, the default is access to all folder locations.
<!-- SetAllowedFolderLocations-Description-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- SetAllowedFolderLocations-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetAllowedFolderLocations-Editable-End -->
> [!div class = "checklist"]
> * Device
<!-- SetAllowedFolderLocations-DFProperties-Begin -->
**Description framework properties**:
<hr/>
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- SetAllowedFolderLocations-DFProperties-End -->
<!--/Scope-->
<!--Description-->
<!-- SetAllowedFolderLocations-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Access to all folder locations. |
| 13 | Documents, Pictures, Downloads |
| 15 | Desktop, Documents, Pictures, Downloads |
| 31 | Desktop, Documents, Pictures, Downloads, Network |
| 47 | This PC, Desktop, Documents, Pictures, Downloads |
| 63 | This PC, Desktop, Documents, Pictures, Downloads, Network |
<!-- SetAllowedFolderLocations-AllowedValues-End -->
<!-- SetAllowedFolderLocations-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetAllowedFolderLocations-Examples-End -->
<!-- SetAllowedFolderLocations-End -->
<!-- SetAllowedStorageLocations-Begin -->
## SetAllowedStorageLocations
<!-- SetAllowedStorageLocations-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- SetAllowedStorageLocations-Applicability-End -->
<!-- SetAllowedStorageLocations-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedStorageLocations
```
```Device
./Device/Vendor/MSFT/Policy/Config/FileExplorer/SetAllowedStorageLocations
```
<!-- SetAllowedStorageLocations-OmaUri-End -->
<!-- SetAllowedStorageLocations-Description-Begin -->
<!-- Description-Source-DDF -->
A value that can represent one or more storage locations in File Explorer. If not specified, the default is access to all storage locations.
<!-- SetAllowedStorageLocations-Description-End -->
<!-- SetAllowedStorageLocations-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SetAllowedStorageLocations-Editable-End -->
<!-- SetAllowedStorageLocations-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- SetAllowedStorageLocations-DFProperties-End -->
<!-- SetAllowedStorageLocations-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Access to all storage locations. |
| 1 | Removable Drives |
| 2 | Sync roots |
| 3 | Removable Drives, Sync roots |
| 4 | Local Drives |
| 5 | Removable Drives, Local Drives |
| 6 | Sync Roots, Local Drives |
| 7 | Removable Drives, Sync Roots, Local Drives |
<!-- SetAllowedStorageLocations-AllowedValues-End -->
<!-- SetAllowedStorageLocations-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SetAllowedStorageLocations-Examples-End -->
<!-- SetAllowedStorageLocations-End -->
<!-- TurnOffDataExecutionPreventionForExplorer-Begin -->
## TurnOffDataExecutionPreventionForExplorer
<!-- TurnOffDataExecutionPreventionForExplorer-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- TurnOffDataExecutionPreventionForExplorer-Applicability-End -->
<!-- TurnOffDataExecutionPreventionForExplorer-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/FileExplorer/TurnOffDataExecutionPreventionForExplorer
```
<!-- TurnOffDataExecutionPreventionForExplorer-OmaUri-End -->
<!-- TurnOffDataExecutionPreventionForExplorer-Description-Begin -->
<!-- Description-Source-ADMX -->
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
<!-- TurnOffDataExecutionPreventionForExplorer-Description-End -->
<!--/Description-->
<!-- TurnOffDataExecutionPreventionForExplorer-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TurnOffDataExecutionPreventionForExplorer-Editable-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off Data Execution Prevention for Explorer*
- GP name: *NoDataExecutionPrevention*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!-- TurnOffDataExecutionPreventionForExplorer-DFProperties-Begin -->
**Description framework properties**:
<!--/ADMXBacked-->
<!--/Policy-->
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- TurnOffDataExecutionPreventionForExplorer-DFProperties-End -->
<hr/>
<!-- TurnOffDataExecutionPreventionForExplorer-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Policy-->
<a href="" id="fileexplorer-turnoffheapterminationoncorruption"></a>**FileExplorer/TurnOffHeapTerminationOnCorruption**
**ADMX mapping**:
<!--SupportedSKUs-->
| Name | Value |
|:--|:--|
| Name | NoDataExecutionPrevention |
| Friendly Name | Turn off Data Execution Prevention for Explorer |
| Location | Computer Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | NoDataExecutionPrevention |
| ADMX File Name | Explorer.admx |
<!-- TurnOffDataExecutionPreventionForExplorer-AdmxBacked-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- TurnOffDataExecutionPreventionForExplorer-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TurnOffDataExecutionPreventionForExplorer-Examples-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- TurnOffDataExecutionPreventionForExplorer-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- TurnOffHeapTerminationOnCorruption-Begin -->
## TurnOffHeapTerminationOnCorruption
> [!div class = "checklist"]
> * Device
<!-- TurnOffHeapTerminationOnCorruption-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
<!-- TurnOffHeapTerminationOnCorruption-Applicability-End -->
<hr/>
<!-- TurnOffHeapTerminationOnCorruption-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/FileExplorer/TurnOffHeapTerminationOnCorruption
```
<!-- TurnOffHeapTerminationOnCorruption-OmaUri-End -->
<!--/Scope-->
<!--Description-->
<!-- TurnOffHeapTerminationOnCorruption-Description-Begin -->
<!-- Description-Source-ADMX -->
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.
<!-- TurnOffHeapTerminationOnCorruption-Description-End -->
<!--/Description-->
<!-- TurnOffHeapTerminationOnCorruption-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TurnOffHeapTerminationOnCorruption-Editable-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off heap termination on corruption*
- GP name: *NoHeapTerminationOnCorruption*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!-- TurnOffHeapTerminationOnCorruption-DFProperties-Begin -->
**Description framework properties**:
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- TurnOffHeapTerminationOnCorruption-DFProperties-End -->
<!--Policy-->
<a href="" id="fileexplorer-setallowedfolderlocations"></a>**FileExplorer/SetAllowedFolderLocations**
<!-- TurnOffHeapTerminationOnCorruption-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--SupportedSKUs-->
**ADMX mapping**:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
| Name | Value |
|:--|:--|
| Name | NoHeapTerminationOnCorruption |
| Friendly Name | Turn off heap termination on corruption |
| Location | Computer Configuration |
| Path | WindowsComponents > File Explorer |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | NoHeapTerminationOnCorruption |
| ADMX File Name | Explorer.admx |
<!-- TurnOffHeapTerminationOnCorruption-AdmxBacked-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- TurnOffHeapTerminationOnCorruption-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TurnOffHeapTerminationOnCorruption-Examples-End -->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- TurnOffHeapTerminationOnCorruption-End -->
> [!div class = "checklist"]
> * User
<!-- FileExplorer-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- FileExplorer-CspMoreInfo-End -->
<hr/>
<!-- FileExplorer-End -->
<!--/Scope-->
<!--Description-->
This policy configures the folders that the user can enumerate and access in the File Explorer.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0: All folders
- 15: Desktop, Documents, Pictures, and Downloads
- 31: Desktop, Documents, Pictures, Downloads, and Network
- 47: This PC (local drive), [Desktop, Documents, Pictures], and Downloads
- 63: This PC, [Desktop, Documents, Pictures], Downloads, and Network
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
- GP name: *SetAllowedFolderLocations*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="fileexplorer-setallowedstoragelocations"></a>**FileExplorer/SetAllowedStorageLocations**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy configures the folders that the user can enumerate and access in the File Explorer.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0: All storage locations
- 1: Removable Drives
- 2: Sync roots
- 3: Removable Drives, Sync roots, local drive
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer*
- GP name: *SetAllowedStorageLocations*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="fileexplorer-disablegraphrecentitems"></a>**FileExplorer/DisableGraphRecentItems**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy changes whether files from Office.com will be shown in the Recents and Favorites sections on the Home node (previously known as Quick Access) in File Explorer.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0: Files from Office.com will display in the Home node
- 1: No files from Office.com will be retrieved or displayed
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off files from Office.com in Quick access view*
- GP name: *DisableGraphRecentItems*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)