+ + +## ADMX_CredSsp policies + +
-
+
- + ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly + +
- + ADMX_CredSsp/AllowDefaultCredentials + +
- + ADMX_CredSsp/AllowEncryptionOracle + +
- + ADMX_CredSsp/AllowFreshCredentials + +
- + ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly + +
- + ADMX_CredSsp/AllowSavedCredentials + +
- + ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly + +
- + ADMX_CredSsp/DenyDefaultCredentials + +
- + ADMX_CredSsp/DenyFreshCredentials + +
- + ADMX_CredSsp/DenySavedCredentials + +
- + ADMX_CredSsp/RestrictedRemoteAdministration + +
+ + +**ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). + +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating default credentials with NTLM-only server authentication* +- GP name: *AllowDefCredentialsWhenNTLMOnly* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/AllowDefaultCredentials** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos. + +If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows). + +The policy becomes effective the next time the user signs on to a computer running Windows. + +If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB. + +FWlink for KB: +https://go.microsoft.com/fwlink/?LinkId=301508 + +> [!NOTE] +> The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating default credentials* +- GP name: *AllowDefaultCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/AllowEncryptionOracle** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). + +Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. + +If you enable this policy setting, CredSSP version support will be selected based on the following options: + +- Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. + + > [!NOTE] + > This setting should not be deployed until all remote hosts support the newest version. + +- Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. + +- Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. + +For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660 + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Encryption Oracle Remediation* +- GP name: *AllowEncryptionOracle* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/AllowFreshCredentials** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. + +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). + +If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating fresh credentials* +- GP name: *AllowFreshCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). + +If you disable this policy setting, delegation of fresh credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating fresh credentials with NTLM-only server authentication* +- GP name: *AllowFreshCredentialsWhenNTLMOnly* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/AllowSavedCredentials** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. + +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). + +If you disable this policy setting, delegation of saved credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating saved credentials* +- GP name: *AllowSavedCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +This policy setting applies when server authentication was achieved via NTLM. + +If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). + +If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine. + +If you disable this policy setting, delegation of saved credentials is not permitted to any machine. + +> [!NOTE] +> The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow delegating saved credentials with NTLM-only server authentication* +- GP name: *AllowSavedCredentialsWhenNTLMOnly* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/DenyDefaultCredentials** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). + +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. + +> [!NOTE] +> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny delegating default credentials* +- GP name: *DenyDefaultCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/DenyFreshCredentials** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). + +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. + +> [!NOTE] +> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny delegating fresh credentials* +- GP name: *DenyFreshCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/DenySavedCredentials** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). + +If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). + +If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server. + +> [!NOTE] +> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. +> +> For Example: +> +> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine +> - TERMSRV/* Remote Desktop Session Host running on all machines. +> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com + +This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny delegating saved credentials* +- GP name: *DenySavedCredentials* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ + +**ADMX_CredSsp/RestrictedRemoteAdministration** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device. + +Participating apps: +Remote Desktop Client + +If you enable this policy setting, the following options are supported: + +- Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. +- Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts. +- Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts. + +If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices. + +> [!NOTE] +> To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation). +> +> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict delegation of credentials to remote servers* +- GP name: *RestrictedRemoteAdministration* +- GP path: *System\Credentials Delegation* +- GP ADMX file name: *CredSsp.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md new file mode 100644 index 0000000000..06baf9787a --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -0,0 +1,114 @@ +--- +title: Policy CSP - ADMX_DataCollection +description: Policy CSP - ADMX_DataCollection +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DataCollection +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_DataCollection policies + + + + +
+ + +**ADMX_DataCollection/CommercialIdPolicy** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization. + +If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. + +If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the Commercial ID* +- GP name: *CommercialIdPolicy* +- GP path: *Windows Components\Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md new file mode 100644 index 0000000000..3cabf5f777 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -0,0 +1,2183 @@ +--- +title: Policy CSP - ADMX_Desktop +description: Policy CSP - ADMX_Desktop +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/02/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Desktop +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Desktop policies + +
-
+
- + ADMX_Desktop/AD_EnableFilter + +
- + ADMX_Desktop/AD_HideDirectoryFolder + +
- + ADMX_Desktop/AD_QueryLimit + +
- + ADMX_Desktop/ForceActiveDesktopOn + +
- + ADMX_Desktop/NoActiveDesktop + +
- + ADMX_Desktop/NoActiveDesktopChanges + +
- + ADMX_Desktop/NoDesktop + +
- + ADMX_Desktop/NoDesktopCleanupWizard + +
- + ADMX_Desktop/NoInternetIcon + +
- + ADMX_Desktop/NoMyComputerIcon + +
- + ADMX_Desktop/NoMyDocumentsIcon + +
- + ADMX_Desktop/NoNetHood + +
- + ADMX_Desktop/NoPropertiesMyComputer + +
- + ADMX_Desktop/NoPropertiesMyDocuments + +
- + ADMX_Desktop/NoRecentDocsNetHood + +
- + ADMX_Desktop/NoRecycleBinIcon + +
- + ADMX_Desktop/NoRecycleBinProperties + +
- + ADMX_Desktop/NoSaveSettings + +
- + ADMX_Desktop/NoWindowMinimizingShortcuts + +
- + ADMX_Desktop/Wallpaper + +
- + ADMX_Desktop/sz_ATC_DisableAdd + +
- + ADMX_Desktop/sz_ATC_DisableClose + +
- + ADMX_Desktop/sz_ATC_DisableDel + +
- + ADMX_Desktop/sz_ATC_DisableEdit + +
- + ADMX_Desktop/sz_ATC_NoComponents + +
- + ADMX_Desktop/sz_AdminComponents_Title + +
- + ADMX_Desktop/sz_DB_DragDropClose + +
- + ADMX_Desktop/sz_DB_Moving + +
- + ADMX_Desktop/sz_DWP_NoHTMLPaper + +
+ + +**ADMX_Desktop/AD_EnableFilter** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. + +If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it. + +If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu. + +To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable filter in Find dialog box* +- GP name: *AD_EnableFilter* +- GP path: *Desktop\Active Directory* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/AD_HideDirectoryFolder** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Hides the Active Directory folder in Network Locations. + +The Active Directory folder displays Active Directory objects in a browse window. + +If you enable this setting, the Active Directory folder does not appear in the Network Locations folder. + +If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder. + +This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Active Directory folder* +- GP name: *AD_HideDirectoryFolder* +- GP path: *Desktop\Active Directory* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/AD_QueryLimit** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. + +If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search. + +If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space. + +This setting is designed to protect the network and the domain controller from the effect of expansive searches. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maximum size of Active Directory searches* +- GP name: *AD_QueryLimit* +- GP path: *Desktop\Active Directory* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/ForceActiveDesktopOn** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Enables Active Desktop and prevents users from disabling it. + +This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. + +If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. + +> [!NOTE] +> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Active Desktop* +- GP name: *ForceActiveDesktopOn* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoActiveDesktop** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables Active Desktop and prevents users from enabling it. + +This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. + +If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it. + +> [!NOTE] +> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Active Desktop* +- GP name: *NoActiveDesktop* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoActiveDesktopChanges** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. + +This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit changes* +- GP name: *NoActiveDesktopChanges* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoDesktop** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. + +Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. + +Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide and disable all items on the desktop* +- GP name: *NoDesktop* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoDesktopCleanupWizard** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from using the Desktop Cleanup Wizard. + +If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. + +If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. + +> [!NOTE] +> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the Desktop Cleanup Wizard* +- GP name: *NoDesktopCleanupWizard* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoInternetIcon** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. + +This setting does not prevent the user from starting Internet Explorer by using other methods. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Internet Explorer icon on desktop* +- GP name: *NoInternetIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoMyComputerIcon** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment. + +If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty. + +If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. + +If you do not configure this setting, the default is to display Computer as usual. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Computer icon on the desktop* +- GP name: *NoMyComputerIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoMyDocumentsIcon** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the My Documents icon. + +This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. + +This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder. + +This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting. + +> [!NOTE] +> To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove My Documents icon on the desktop* +- GP name: *NoMyDocumentsIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoNetHood** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Network Locations icon from the desktop. + +This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. + +> [!NOTE] +> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Network Locations icon on desktop* +- GP name: *NoNetHood* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoPropertiesMyComputer** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting hides Properties on the context menu for Computer. + +If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected. + +If you disable or do not configure this setting, the Properties option is displayed as usual. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Properties from the Computer icon context menu* +- GP name: *NoPropertiesMyComputer* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoPropertiesMyDocuments** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. + +If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: + +- Right-clicks the My Documents icon. +- Clicks the My Documents icon, and then opens the File menu. +- Clicks the My Documents icon, and then presses ALT+ENTER. + +If you disable or do not configure this policy setting, the Properties menu command is displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Properties from the Documents icon context menu* +- GP name: *NoPropertiesMyDocuments* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoRecentDocsNetHood** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. + +If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations. + +If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not add shares of recently opened documents to Network Locations* +- GP name: *NoRecentDocsNetHood* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoRecycleBinIcon** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the Recycle Bin icon. + +This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box. + +This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder. + +> [!NOTE] +> To make changes to this setting effective, you must log off and then log back on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Recycle Bin icon from desktop* +- GP name: *NoRecycleBinIcon* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoRecycleBinProperties** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Properties option from the Recycle Bin context menu. + +If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected. + +If you disable or do not configure this setting, the Properties option is displayed as usual. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Properties from the Recycle Bin context menu* +- GP name: *NoRecycleBinProperties* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoSaveSettings** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from saving certain changes to the desktop. + +If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Don't save settings at exit* +- GP name: *NoSaveSettings* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/NoWindowMinimizingShortcuts** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. + +If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse. + +If you disable or do not configure this policy, this window minimizing and restoring gesture will apply. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Aero Shake window minimizing mouse gesture* +- GP name: *NoWindowMinimizingShortcuts* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/Wallpaper** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies the desktop background ("wallpaper") displayed on all users' desktops. + +This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file. + +To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification. + +If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice. + +Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel. + +> [!NOTE] +> This setting does not apply to remote desktop server sessions. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Desktop Wallpaper* +- GP name: *Wallpaper* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/sz_ATC_DisableAdd** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adding Web content to their Active Desktop. + +This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content. + +Also, see the "Disable all items" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit adding items* +- GP name: *sz_ATC_DisableAdd* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/sz_ATC_DisableClose** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from removing Web content from their Active Desktop. + +In Active Desktop, you can add items to the desktop but close them so they are not displayed. + +If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel. + +> [!NOTE] +> This setting does not prevent users from deleting items from their Active Desktop. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit closing items* +- GP name: *sz_ATC_DisableClose* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/sz_ATC_DisableDel** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from deleting Web content from their Active Desktop. + +This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. + +This setting does not prevent users from adding Web content to their Active Desktop. + +Also, see the "Prohibit closing items" and "Disable all items" settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit deleting items* +- GP name: *sz_ATC_DisableDel* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/sz_ATC_DisableEdit** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the properties of Web content items on their Active Desktop. + +This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit editing items* +- GP name: *sz_ATC_DisableEdit* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/sz_ATC_NoComponents** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes Active Desktop content and prevents users from adding Active Desktop content. + +This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. + +> [!NOTE] +> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable all items* +- GP name: *sz_ATC_NoComponents* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/sz_AdminComponents_Title** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Adds and deletes specified Web content items. + +You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. + +You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed. + +> [!NOTE] +> Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again. + +> [!NOTE] +> For this setting to take affect, you must log off and log on to the system. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add/Delete items* +- GP name: *sz_AdminComponents_Title* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/sz_DB_DragDropClose** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from manipulating desktop toolbars. + +If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. + +> [!NOTE] +> If users have added or removed toolbars, this setting prevents them from restoring the default configuration. + +> [!TIP] +> To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars." + +Also, see the "Prohibit adjusting desktop toolbars" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent adding, dragging, dropping and closing the Taskbar's toolbars* +- GP name: *sz_DB_DragDropClose* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/sz_DB_Moving** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. + +This setting does not prevent users from adding or removing toolbars on the desktop. + +> [!NOTE] +> If users have adjusted their toolbars, this setting prevents them from restoring the default configuration. + +Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit adjusting desktop toolbars* +- GP name: *sz_DB_Moving* +- GP path: *Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ + +**ADMX_Desktop/sz_DWP_NoHTMLPaper** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper". + +Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only bitmapped wallpaper* +- GP name: *sz_DWP_NoHTMLPaper* +- GP path: *Desktop\Desktop* +- GP ADMX file name: *Desktop.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md new file mode 100644 index 0000000000..5f9d502f36 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -0,0 +1,619 @@ +--- +title: Policy CSP - ADMX_DeviceInstallation +description: Policy CSP - ADMX_DeviceInstallation +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DeviceInstallation +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_DeviceInstallation policies + +
-
+
- + ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall + +
- + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText + +
- + ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText + +
- + ADMX_DeviceInstallation/DeviceInstall_InstallTimeout + +
- + ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime + +
- + ADMX_DeviceInstallation/DeviceInstall_Removable_Deny + +
- + ADMX_DeviceInstallation/DeviceInstall_SystemRestore + +
- + ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. + +If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow administrators to override Device Installation Restriction policies* +- GP name: *DeviceInstall_AllowAdminInstall* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation. + +If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation. + +If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display a custom message when installation is prevented by a policy setting* +- GP name: *DeviceInstall_DeniedPolicy_DetailText* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation. + +If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation. + +If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display a custom message title when device installation is prevented by a policy setting* +- GP name: *DeviceInstall_DeniedPolicy_SimpleText* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_InstallTimeout** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. + +If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. + +If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure device installation time-out* +- GP name: *DeviceInstall_InstallTimeout* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. + +If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot. + +If you disable or do not configure this policy setting, the system does not force a reboot. + +Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Time (in seconds) to force reboot when required for policy changes to take effect* +- GP name: *DeviceInstall_Policy_RebootTime* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_Removable_Deny** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent installation of removable devices* +- GP name: *DeviceInstall_Removable_Deny* +- GP path: *System\Device Installation\Device Installation Restrictions* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DeviceInstall_SystemRestore** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. + +If you enable this policy setting, Windows does not create a system restore point when one would normally be created. + +If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point* +- GP name: *DeviceInstall_SystemRestore* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ + +**ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. + +If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. + +If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow non-administrators to install drivers for these device setup classes* +- GP name: *DriverInstall_Classes_AllowUser* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceInstallation.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md new file mode 100644 index 0000000000..77264647f1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -0,0 +1,188 @@ +--- +title: Policy CSP - ADMX_DeviceSetup +description: Policy CSP - ADMX_DeviceSetup +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DeviceSetup +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_DeviceSetup policies + +
-
+
- + ADMX_DeviceSetup/DeviceInstall_BalloonTips + +
- + ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration + +
+ + +**ADMX_DeviceSetup/DeviceInstall_BalloonTips** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation. + +If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed. + +If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off "Found New Hardware" balloons during device installation* +- GP name: *DeviceInstall_BalloonTips* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ + +**ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers. + +If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. + +Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system. + +If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify search order for device driver source locations* +- GP name: *DriverSearchPlaces_SearchOrderConfiguration* +- GP path: *System\Device Installation* +- GP ADMX file name: *DeviceSetup.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md new file mode 100644 index 0000000000..433116e5de --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -0,0 +1,971 @@ +--- +title: Policy CSP - ADMX_EAIME +description: Policy CSP - ADMX_EAIME +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/19/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EAIME +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_EAIME policies + +
-
+
- + ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList + +
- + ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion + +
- + ADMX_EAIME/L_TurnOffCustomDictionary + +
- + ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput + +
- + ADMX_EAIME/L_TurnOffInternetSearchIntegration + +
- + ADMX_EAIME/L_TurnOffOpenExtendedDictionary + +
- + ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile + +
- + ADMX_EAIME/L_TurnOnCloudCandidate + +
- + ADMX_EAIME/L_TurnOnCloudCandidateCHS + +
- + ADMX_EAIME/L_TurnOnLexiconUpdate + +
- + ADMX_EAIME/L_TurnOnLiveStickers + +
- + ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport + +
+ + +**ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. + +If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. + +If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. + +This policy setting applies to Japanese Microsoft IME only. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not include Non-Publishing Standard Glyph in the candidate list* +- GP name: *L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter. + +If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: + +- 0x0001 // JIS208 area +- 0x0002 // NEC special char code +- 0x0004 // NEC selected IBM extended code +- 0x0008 // IBM extended code +- 0x0010 // Half width katakana code +- 0x0100 // EUDC(GAIJI) +- 0x0200 // S-JIS unmapped area +- 0x0400 // Unicode char +- 0x0800 // surrogate char +- 0x1000 // IVS char +- 0xFFFF // no definition. + +If you disable or do not configure this policy setting, no range of characters are filtered by default. + +This policy setting applies to Japanese Microsoft IME only. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict character code range of conversion* +- GP name: *L_RestrictCharacterCodeRangeOfConversion* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOffCustomDictionary** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary. + +If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion. + +If you disable or do not configure this policy setting, the custom dictionary can be used by default. + +For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary. + +This policy setting is applied to Japanese Microsoft IME. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off custom dictionary* +- GP name: *L_TurnOffCustomDictionary* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input. + +If you enable this policy setting, history-based predictive input is turned off. + +If you disable or do not configure this policy setting, history-based predictive input is on by default. + +This policy setting applies to Japanese Microsoft IME only. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off history-based predictive input* +- GP name: *L_TurnOffHistorybasedPredictiveInput* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOffInternetSearchIntegration** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration. + +Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME. + +If you enable this policy setting, you cannot use search integration. + +If you disable or do not configure this policy setting, the search integration function can be used by default. + +This policy setting applies to Japanese Microsoft IME. + +> [!NOTE] +> Changes to this setting will not take effect until the user logs off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Internet search integration* +- GP name: *L_TurnOffInternetSearchIntegration* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOffOpenExtendedDictionary** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary. + +If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. + +For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion. + +If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default. + +This policy setting is applied to Japanese Microsoft IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Open Extended Dictionary* +- GP name: *L_TurnOffOpenExtendedDictionary* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file. + +If you enable this policy setting, the auto-tuning data is not saved to file. + +If you disable or do not configure this policy setting, auto-tuning data is saved to file by default. + +This policy setting applies to Japanese Microsoft IME only. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off saving auto-tuning data to file* +- GP name: *L_TurnOffSavingAutoTuningDataToFile* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOnCloudCandidate** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. + +If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. + +This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on cloud candidate* +- GP name: *L_TurnOnCloudCandidate* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOnCloudCandidateCHS** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary. + +If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature. + +This Policy setting applies only to Microsoft CHS Pinyin IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on cloud candidate for CHS* +- GP name: *L_TurnOnCloudCandidateCHS* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOnLexiconUpdate** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC. + +If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned on by default, and the user can turn on and turn off the lexicon update feature. + +This Policy setting applies only to Microsoft CHS Pinyin IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on lexicon update* +- GP name: *L_TurnOnLexiconUpdate* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOnLiveStickers** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online. + +If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off. + +If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on. + +If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the live sticker feature. + +This Policy setting applies only to Microsoft CHS Pinyin IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Live Sticker* +- GP name: *L_TurnOnLiveStickers* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ + +**ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report. + +If you enable this policy setting, misconversion logging is turned on. + +If you disable or do not configure this policy setting, misconversion logging is turned off. + +This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on misconversion logging for misconversion report* +- GP name: *L_TurnOnMisconversionLoggingForMisconversionReport* +- GP path: *Windows Components\IME* +- GP ADMX file name: *EAIME.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md new file mode 100644 index 0000000000..4e1cf740ae --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -0,0 +1,476 @@ +--- +title: Policy CSP - ADMX_EnhancedStorage +description: Policy CSP - ADMX_EnhancedStorage +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EnhancedStorage +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_EnhancedStorage policies + +
-
+
- + ADMX_EnhancedStorage/ApprovedEnStorDevices + +
- + ADMX_EnhancedStorage/ApprovedSilos + +
- + ADMX_EnhancedStorage/DisablePasswordAuthentication + +
- + ADMX_EnhancedStorage/DisallowLegacyDiskDevices + +
- + ADMX_EnhancedStorage/LockDeviceOnMachineLock + +
- + ADMX_EnhancedStorage/RootHubConnectedEnStorDevices + +
+ + +**ADMX_EnhancedStorage/ApprovedEnStorDevices** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. + +If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. + +If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure list of Enhanced Storage devices usable on your computer* +- GP name: *ApprovedEnStorDevices* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
+ + +**ADMX_EnhancedStorage/ApprovedSilos** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. + +If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. + +If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure list of IEEE 1667 silos usable on your computer* +- GP name: *ApprovedSilos* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
+ + +**ADMX_EnhancedStorage/DisablePasswordAuthentication** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. + +If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. + +If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow password authentication of Enhanced Storage devices* +- GP name: *DisablePasswordAuthentication* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
+ + +**ADMX_EnhancedStorage/DisallowLegacyDiskDevices** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. + +If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. + +If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow non-Enhanced Storage removable devices* +- GP name: *DisallowLegacyDiskDevices* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
+ + +**ADMX_EnhancedStorage/LockDeviceOnMachineLock** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked. + +This policy setting is supported in Windows Server SKUs only. + +If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. + +If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Lock Enhanced Storage when the computer is locked* +- GP name: *LockDeviceOnMachineLock* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
+ + +**ADMX_EnhancedStorage/RootHubConnectedEnStorDevices** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device. + +If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed. + +If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only USB root hub connected Enhanced Storage devices* +- GP name: *RootHubConnectedEnStorDevices* +- GP path: *System\Enhanced Storage Access* +- GP ADMX file name: *EnhancedStorage.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md new file mode 100644 index 0000000000..a220ae0692 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -0,0 +1,2202 @@ +--- +title: Policy CSP - ADMX_ErrorReporting +description: Policy CSP - ADMX_ErrorReporting +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/23/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_ErrorReporting +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_ErrorReporting policies + +
-
+
- + ADMX_ErrorReporting/PCH_AllOrNoneDef + +
- + ADMX_ErrorReporting/PCH_AllOrNoneEx + +
- + ADMX_ErrorReporting/PCH_AllOrNoneInc + +
- + ADMX_ErrorReporting/PCH_ConfigureReport + +
- + ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults + +
- + ADMX_ErrorReporting/WerArchive_1 + +
- + ADMX_ErrorReporting/WerArchive_2 + +
- + ADMX_ErrorReporting/WerAutoApproveOSDumps_1 + +
- + ADMX_ErrorReporting/WerAutoApproveOSDumps_2 + +
- + ADMX_ErrorReporting/WerBypassDataThrottling_1 + +
- + ADMX_ErrorReporting/WerBypassDataThrottling_2 + +
- + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1 + +
- + ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2 + +
- + ADMX_ErrorReporting/WerBypassPowerThrottling_1 + +
- + ADMX_ErrorReporting/WerBypassPowerThrottling_2 + +
- + ADMX_ErrorReporting/WerCER + +
- + ADMX_ErrorReporting/WerConsentCustomize_1 + +
- + ADMX_ErrorReporting/WerConsentOverride_1 + +
- + ADMX_ErrorReporting/WerConsentOverride_2 + +
- + ADMX_ErrorReporting/WerDefaultConsent_1 + +
- + ADMX_ErrorReporting/WerDefaultConsent_2 + +
- + ADMX_ErrorReporting/WerDisable_1 + +
- + ADMX_ErrorReporting/WerExlusion_1 + +
- + ADMX_ErrorReporting/WerExlusion_2 + +
- + ADMX_ErrorReporting/WerNoLogging_1 + +
- + ADMX_ErrorReporting/WerNoLogging_2 + +
- + ADMX_ErrorReporting/WerNoSecondLevelData_1 + +
- + ADMX_ErrorReporting/WerQueue_1 + +
- + ADMX_ErrorReporting/WerQueue_2 + +
+ + +**ADMX_ErrorReporting/PCH_AllOrNoneDef** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled. + +If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors. + +If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of Microsoft applications. + +If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications. + +This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not configured. + +For related information, see the Configure Error Reporting and Report Operating System Errors policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Default application reporting settings* +- GP name: *PCH_AllOrNoneDef* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/PCH_AllOrNoneEx** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. + +If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting. + +If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to never report errors for* +- GP name: *PCH_AllOrNoneEx* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/PCH_AllOrNoneInc** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies applications for which Windows Error Reporting should always report errors. + +To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors. + +If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. + +If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.) + +If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence. + +Also see the "Default Application Reporting" and "Application Exclusion List" policies. + +This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to always report errors for* +- GP name: *PCH_AllOrNoneInc* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/PCH_ConfigureReport** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled. + +This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. + +> [!IMPORTANT] +> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting. + +If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: + +- "Do not display links to any Microsoft ‘More information’ websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites. + +- "Do not collect additional files": Select this option if you do not want additional files to be collected and included in error reports. + +- "Do not collect additional computer data": Select this if you do not want additional information about the computer to be collected and included in error reports. + +- "Force queue mode for application errors": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft. + +- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft. + +- "Replace instances of the word ‘Microsoft’ with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text. + +If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. + +If you disable this policy setting, configuration settings in the policy setting are left blank. + +See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Error Reporting* +- GP name: *PCH_ConfigureReport* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled. + +If you enable this policy setting, Windows Error Reporting includes operating system errors. + +If you disable this policy setting, operating system errors are not included in error reports. + +If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors. + +See also the Configure Error Reporting policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Report operating system errors* +- GP name: *PCH_ReportOperatingSystemFaults* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerArchive_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. + +If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. + +If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Archive* +- GP name: *WerArchive_1* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerArchive_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive. + +If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted. + +If you disable or do not configure this policy setting, no Windows Error Reporting information is stored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Archive* +- GP name: *WerArchive_2* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerAutoApproveOSDumps_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. + +If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + +If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatically send memory dumps for OS-generated error reports* +- GP name: *WerAutoApproveOSDumps_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerAutoApproveOSDumps_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. + +If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user. + +If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatically send memory dumps for OS-generated error reports* +- GP name: *WerAutoApproveOSDumps_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerBypassDataThrottling_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. + +If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. + +If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not throttle additional data* +- GP name: *WerBypassDataThrottling_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerBypassDataThrottling_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. + +If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report. + +If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not throttle additional data* +- GP name: *WerBypassDataThrottling_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. + +If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. + +If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send data when on connected to a restricted/costed network* +- GP name: *WerBypassNetworkCostThrottling_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. + +If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted. + +If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send data when on connected to a restricted/costed network* +- GP name: *WerBypassNetworkCostThrottling_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerBypassPowerThrottling_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. + +If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send additional data when on battery power* +- GP name: *WerBypassPowerThrottling_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerBypassPowerThrottling_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source. + +If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally. + +If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send additional data when on battery power* +- GP name: *WerBypassPowerThrottling_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerCER** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft). + +If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission. + +If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Corporate Windows Error Reporting* +- GP name: *WerCER* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerConsentCustomize_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the consent behavior of Windows Error Reporting for specific event types. + +If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. + +- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. + +- 1 (Always ask before sending data): Windows prompts the user for consent to send reports. + +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. + +- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. + +- 4 (Send all data): Any data requested by Microsoft is sent automatically. + +If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Customize consent settings* +- GP name: *WerConsentCustomize_1* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerConsentOverride_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. + +If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. + +If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore custom consent settings* +- GP name: *WerConsentOverride_1* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerConsentOverride_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. + +If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. + +If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ignore custom consent settings* +- GP name: *WerConsentOverride_2* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerDefaultConsent_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. + +If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: + +- Always ask before sending data: Windows prompts users for consent to send reports. + +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. + +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. + +- Send all data: any error reporting data requested by Microsoft is sent automatically. + +If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Default consent* +- GP name: *WerDefaultConsent_1* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerDefaultConsent_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting. + +If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: + +- Always ask before sending data: Windows prompts users for consent to send reports. + +- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft. + +- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft. + +- Send all data: any error reporting data requested by Microsoft is sent automatically. + +If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Default consent* +- GP name: *WerDefaultConsent_2* +- GP path: *Windows Components\Windows Error Reporting\Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerDisable_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. + +If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. + +If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Windows Error Reporting* +- GP name: *WerDisable_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerExlusion_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. + +If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to be excluded* +- GP name: *WerExlusion_1* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerExlusion_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. + +If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. + +If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List of applications to be excluded* +- GP name: *WerExlusion_2* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerNoLogging_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. + +If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. + +If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable logging* +- GP name: *WerNoLogging_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerNoLogging_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. + +If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. + +If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable logging* +- GP name: *WerNoLogging_2* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerNoSecondLevelData_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. + +If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. + +If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not send additional data* +- GP name: *WerNoSecondLevelData_1* +- GP path: *Windows Components\Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerQueue_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. + +If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. + +The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. + +If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Queue* +- GP name: *WerQueue_1* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ + +**ADMX_ErrorReporting/WerQueue_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue. + +If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel. + +The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder. + +If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Report Queue* +- GP name: *WerQueue_2* +- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings* +- GP ADMX file name: *ErrorReporting.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md new file mode 100644 index 0000000000..97b2384e47 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -0,0 +1,1588 @@ +--- +title: Policy CSP - ADMX_EventLog +description: Policy CSP - ADMX_EventLog +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EventLog +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_EventLog policies + +
-
+
- + ADMX_EventLog/Channel_LogEnabled + +
- + ADMX_EventLog/Channel_LogFilePath_1 + +
- + ADMX_EventLog/Channel_LogFilePath_2 + +
- + ADMX_EventLog/Channel_LogFilePath_3 + +
- + ADMX_EventLog/Channel_LogFilePath_4 + +
- + ADMX_EventLog/Channel_LogMaxSize_3 + +
- + ADMX_EventLog/Channel_Log_AutoBackup_1 + +
- + ADMX_EventLog/Channel_Log_AutoBackup_2 + +
- + ADMX_EventLog/Channel_Log_AutoBackup_3 + +
- + ADMX_EventLog/Channel_Log_AutoBackup_4 + +
- + ADMX_EventLog/Channel_Log_FileLogAccess_1 + +
- + ADMX_EventLog/Channel_Log_FileLogAccess_2 + +
- + ADMX_EventLog/Channel_Log_FileLogAccess_3 + +
- + ADMX_EventLog/Channel_Log_FileLogAccess_4 + +
- + ADMX_EventLog/Channel_Log_FileLogAccess_5 + +
- + ADMX_EventLog/Channel_Log_FileLogAccess_6 + +
- + ADMX_EventLog/Channel_Log_FileLogAccess_7 + +
- + ADMX_EventLog/Channel_Log_FileLogAccess_8 + +
- + ADMX_EventLog/Channel_Log_Retention_2 + +
- + ADMX_EventLog/Channel_Log_Retention_3 + +
- + ADMX_EventLog/Channel_Log_Retention_4 + +
+ + +**ADMX_EventLog/Channel_LogEnabled** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns on logging. + +If you enable or do not configure this policy setting, then events can be written to this log. + +If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on logging* +- GP name: *Channel_LogEnabled* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_LogFilePath_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control the location of the log file* +- GP name: *Channel_LogFilePath_1* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_LogFilePath_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control the location of the log file* +- GP name: *Channel_LogFilePath_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_LogFilePath_3** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control the location of the log file* +- GP name: *Channel_LogFilePath_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_LogFilePath_4** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. + +If you enable this policy setting, the Event Log uses the path specified in this policy setting. + +If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on logging* +- GP name: *Channel_LogFilePath_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_LogMaxSize_3** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the maximum log file size (KB)* +- GP name: *Channel_LogMaxSize_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_AutoBackup_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_1* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_AutoBackup_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_AutoBackup_3** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_AutoBackup_4** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled. + +If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. + +If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained. + +If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Back up log automatically when full* +- GP name: *Channel_Log_AutoBackup_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_FileLogAccess_1** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_1* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_FileLogAccess_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. + +If you disable or do not configure this policy setting, only system software and administrators can read or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_FileLogAccess_3** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_FileLogAccess_4** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. + +If you disable or do not configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. + +> [!NOTE] +> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access* +- GP name: *Channel_Log_FileLogAccess_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_FileLogAccess_5** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_5* +- GP path: *Windows Components\Event Log Service\Application* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_FileLogAccess_6** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. + +If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log. + +If you disable this policy setting, only system software and administrators can read or clear this log. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_6* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_FileLogAccess_7** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. + +If you enable this policy setting, only those users matching the security descriptor can access the log. + +If you disable this policy setting, all authenticated users and system services can write, read, or clear this log. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_7* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_FileLogAccess_8** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. + +If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. + +If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it. + +If you do not configure this policy setting, the previous policy setting configuration remains in effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure log access (legacy)* +- GP name: *Channel_Log_FileLogAccess_8* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_Retention_2** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_2* +- GP path: *Windows Components\Event Log Service\Security* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_Retention_3** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_3* +- GP path: *Windows Components\Event Log Service\Setup* +- GP ADMX file name: *EventLog.admx* + + + +
+ + +**ADMX_EventLog/Channel_Log_Retention_4** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_4* +- GP path: *Windows Components\Event Log Service\System* +- GP ADMX file name: *EventLog.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md new file mode 100644 index 0000000000..594a97bf72 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -0,0 +1,641 @@ +--- +title: Policy CSP - ADMX_Kerberos +description: Policy CSP - ADMX_Kerberos +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Kerberos +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Kerberos policies + +
-
+
- + ADMX_Kerberos/AlwaysSendCompoundId + +
- + ADMX_Kerberos/DevicePKInitEnabled + +
- + ADMX_Kerberos/HostToRealm + +
- + ADMX_Kerberos/KdcProxyDisableServerRevocationCheck + +
- + ADMX_Kerberos/KdcProxyServer + +
- + ADMX_Kerberos/MitRealms + +
- + ADMX_Kerberos/ServerAcceptsCompound + +
- + ADMX_Kerberos/StrictTarget + +
+ + +**ADMX_Kerberos/AlwaysSendCompoundId** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. + +> [!NOTE] +> For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. + +If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. + +If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always send compound authentication first* +- GP name: *AlwaysSendCompoundId* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
+ + +**ADMX_Kerberos/DevicePKInitEnabled** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. + +This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. + +If you enable this policy setting, the device's credentials will be selected based on the following options: + +- Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted. +- Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail. + +If you disable this policy setting, certificates will never be used. + +If you do not configure this policy setting, Automatic will be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Support device authentication using certificate* +- GP name: *DevicePKInitEnabled* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
+ + +**ADMX_Kerberos/HostToRealm** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. + +If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. + +If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted. + +If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define host name-to-Kerberos realm mappings* +- GP name: *HostToRealm* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
+ + +**ADMX_Kerberos/KdcProxyDisableServerRevocationCheck** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. + +If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. +Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid. + +If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable revocation checking for the SSL certificate of KDC proxy servers* +- GP name: *KdcProxyDisableServerRevocationCheck* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
+ + +**ADMX_Kerberos/KdcProxyServer** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names. + +If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. + +If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify KDC proxy servers for Kerberos clients* +- GP name: *KdcProxyServer* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
+ + +**ADMX_Kerberos/MitRealms** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting. + +If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. + +If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted. + +If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define interoperable Kerberos V5 realm settings* +- GP name: *MitRealms* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
+ + +**ADMX_Kerberos/ServerAcceptsCompound** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls configuring the device's Active Directory account for compound authentication. + +Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy. + +If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options: + +- Never: Compound authentication is never provided for this computer account. +- Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control. +- Always: Compound authentication is always provided for this computer account. + +If you disable this policy setting, Never will be used. + +If you do not configure this policy setting, Automatic will be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Support compound authentication* +- GP name: *ServerAcceptsCompound* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
+ + +**ADMX_Kerberos/StrictTarget** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN. + +If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. + +If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require strict target SPN match on remote procedure calls* +- GP name: *StrictTarget* +- GP path: *System\Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md new file mode 100644 index 0000000000..5862dadff7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -0,0 +1,6852 @@ +--- +title: Policy CSP - ADMX_MicrosoftDefenderAntivirus +description: Policy CSP - ADMX_MicrosoftDefenderAntivirus +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/02/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_MicrosoftDefenderAntivirus +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_MicrosoftDefenderAntivirus policies + +
-
+
- + ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup + +
- + ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender + +
- + ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions + +
- + ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen + +
- + ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge + +
- + ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring + +
- + ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction + +
- + ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions + +
- + ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths + +
- + ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes + +
- + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions + +
- + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules + +
- + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications + +
- + ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders + +
- + ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation + +
- + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement + +
- + ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid + +
- + ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition + +
- + ADMX_MicrosoftDefenderAntivirus/ProxyBypass + +
- + ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl + +
- + ADMX_MicrosoftDefenderAntivirus/ProxyServer + +
- + ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay + +
- + ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay + +
- + ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring + +
- + ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection + +
- + ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime + +
- + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay + +
- + ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime + +
- + ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout + +
- + ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout + +
- + ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications + +
- + ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts + +
- + ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout + +
- + ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout + +
- + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents + +
- + ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay + +
- + ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime + +
- + ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval + +
- + ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup + +
- + ADMX_MicrosoftDefenderAntivirus/SpynetReporting + +
- + ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting + +
- + ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction + +
- + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString + +
- + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress + +
- + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification + +
- + ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown + +
+ + +**ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. + +If you enable or do not configure this setting, the antimalware service will load as a normal priority task. + +If you disable this setting, the antimalware service will load as a low priority task. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow antimalware service to startup with normal priority* +- GP name: *AllowFastServiceStartup* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Microsoft Defender Antivirus. + +If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software. + +If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product. + +If you do not configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software. + +Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Microsoft Defender Antivirus* +- GP name: *DisableAntiSpywareDefender* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. + +Disabled (Default): +Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance. + +Enabled: +Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios. + +Not configured: +Same as Disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Auto Exclusions* +- GP name: *DisableAutoExclusions* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device. + +Enabled – The Block at First Sight setting is turned on. +Disabled – The Block at First Sight setting is turned off. + +This feature requires these Group Policy settings to be set as follows: + +- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function. +- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function. +- Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature will not function. +- Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sight” feature will not function. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure the 'Block at First Sight' feature* +- GP name: *DisableBlockAtFirstSeen* +- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. + +If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings. + +If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local administrator merge behavior for lists* +- GP name: *DisableLocalAdminMerge* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off real-time protection prompts for known malware detection. + +Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. + +If you enable this policy setting, Microsoft Defender Antivirus will not prompt users to take actions on malware detections. + +If you disable or do not configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off real-time protection* +- GP name: *DisableRealtimeMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action. + +If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat. + +If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off routine remediation* +- GP name: *DisableRoutinelyTakingAction* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Extension Exclusions* +- GP name: *Exclusions_Extensions* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. + +As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Path Exclusions* +- GP name: *Exclusions_Paths* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Process Exclusions* +- GP name: *Exclusions_Processes* +- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Exclude files and paths from Attack Surface Reduction (ASR) rules. + +Enabled: +Specify the folders or files and resources that should be excluded from ASR rules in the Options section. +Enter each rule on a new line as a name-value pair: + +- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder +- Value column: Enter "0" for each item + +Disabled: +No exclusions will be applied to the ASR rules. + +Not configured: +Same as Disabled. + +You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Exclude files and paths from Attack Surface Reduction Rules* +- GP name: *ExploitGuard_ASR_ASROnlyExclusions* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Set the state for each Attack Surface Reduction (ASR) rule. + +After enabling this setting, you can set each rule to the following in the Options section: + +- Block: the rule will be applied +- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied) +- Off: the rule will not be applied + +Enabled: +Specify the state for each ASR rule under the Options section for this setting. +Enter each rule on a new line as a name-value pair: + +- Name column: Enter a valid ASR rule ID +- Value column: Enter the status ID that relates to state you want to specify for the associated rule + +The following status IDs are permitted under the value column: +- 1 (Block) +- 0 (Off) +- 2 (Audit) + +Example: +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 +xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 + +Disabled: +No ASR rules will be configured. + +Not configured: +Same as Disabled. + +You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Attack Surface Reduction rules* +- GP name: *ExploitGuard_ASR_Rules* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Add additional applications that should be considered "trusted" by controlled folder access. + +These applications are allowed to modify or delete files in controlled folder access folders. + +Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. + +Enabled: +Specify additional allowed applications in the Options section.. + +Disabled: +No additional applications will be added to the trusted list. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure allowed applications* +- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specify additional folders that should be guarded by the Controlled folder access feature. + +Files in these folders cannot be modified or deleted by untrusted applications. + +Default system folders are automatically protected. You can configure this setting to add additional folders. +The list of default system folders that are protected is shown in Windows Security. + +Enabled: +Specify additional folders that should be protected in the Options section. + +Disabled: +No additional folders will be protected. + +Not configured: +Same as Disabled. + +You can enable controlled folder access in the Configure controlled folder access GP setting. + +Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure protected folders* +- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders* +- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Enable or disable file hash computation feature. + +Enabled: +When this feature is enabled Microsoft Defender will compute hash value for files it scans. + +Disabled: +File hash value is not computed + +Not configured: +Same as Disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable file hash computation feature* +- GP name: *MpEngine_EnableFileHashComputation* +- GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. + +If you enable or do not configure this setting, definition retirement will be enabled. + +If you disable this setting, definition retirement will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on definition retirement* +- GP name: *Nis_Consumers_IPS_DisableSignatureRetirement* +- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify additional definition sets for network traffic inspection* +- GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid* +- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. + +If you enable or do not configure this setting, protocol recognition will be enabled. + +If you disable this setting, protocol recognition will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on protocol recognition* +- GP name: *Nis_DisableProtocolRecognition* +- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/ProxyBypass** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. + +If you enable this setting, the proxy server will be bypassed for the specified addresses. + +If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define addresses to bypass proxy server* +- GP name: *ProxyBypass* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order): + +1. Proxy server (if specified) +2. Proxy .pac URL (if specified) +3. None +4. Internet Explorer proxy settings +5. Autodetect + +If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above. + +If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define proxy auto-config (.pac) for connecting to the network* +- GP name: *ProxyPacUrl* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/ProxyServer** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order): + +1. Proxy server (if specified) +2. Proxy .pac URL (if specified) +3. None +4. Internet Explorer proxy settings +5. Autodetect + +If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either http:// or https://. + +If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define proxy server for connecting to the network* +- GP name: *ProxyServer* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for the removal of items from Quarantine folder* +- GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. + +If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. + +If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure removal of items from Quarantine folder* +- GP name: *Quarantine_PurgeItemsAfterDelay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time. + +If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time. + +If you disable this setting, scheduled tasks will begin at the specified start time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Randomize scheduled task times* +- GP name: *RandomizeScheduleTaskTimes* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure behavior monitoring. + +If you enable or do not configure this setting, behavior monitoring will be enabled. + +If you disable this setting, behavior monitoring will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on behavior monitoring* +- GP name: *RealtimeProtection_DisableBehaviorMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for all downloaded files and attachments. + +If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. + +If you disable this setting, scanning for all downloaded files and attachments will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan all downloaded files and attachments* +- GP name: *RealtimeProtection_DisableIOAVProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure monitoring for file and program activity. + +If you enable or do not configure this setting, monitoring for file and program activity will be enabled. + +If you disable this setting, monitoring for file and program activity will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Monitor file and program activity on your computer* +- GP name: *RealtimeProtection_DisableOnAccessProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether raw volume write notifications are sent to behavior monitoring. + +If you enable or do not configure this setting, raw write notifications will be enabled. + +If you disable this setting, raw write notifications be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on raw volume write notifications* +- GP name: *RealtimeProtection_DisableRawWriteNotification* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. + +If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on. + +If you disable this setting, a process scan will not be initiated when real-time protection is turned on. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on process scanning whenever real-time protection is enabled* +- GP name: *RealtimeProtection_DisableScanOnRealtimeEnable* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. + +If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. + +If you disable or do not configure this setting, a default size will be applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the maximum size of downloaded files and attachments to be scanned* +- GP name: *RealtimeProtection_IOAVMaxSize* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for turn on behavior monitoring* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for scanning all downloaded files and attachments* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for monitoring file and program activity on your computer* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override to turn on real-time protection* +- GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for monitoring for incoming and outgoing file activity* +- GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection* +- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation* +- GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: + +- (0x0) Every Day +- (0x1) Sunday +- (0x2) Monday +- (0x3) Tuesday +- (0x4) Wednesday +- (0x5) Thursday +- (0x6) Friday +- (0x7) Saturday +- (0x8) Never (default) + +If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified. + +If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the day of the week to run a scheduled full scan to complete remediation* +- GP name: *Remediation_Scan_ScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified. + +If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the time of day to run a scheduled full scan to complete remediation* +- GP name: *Remediation_Scan_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections requiring additional action* +- GP name: *Reporting_AdditionalActionTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections in critically failed state* +- GP name: *Reporting_CriticalFailureTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients. + +If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients. + +If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off enhanced notifications* +- GP name: *Reporting_DisableEnhancedNotifications* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ +**ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not Watson events are sent. + +If you enable or do not configure this setting, Watson events will be sent. + +If you disable this setting, Watson events will not be sent. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Watson events* +- GP name: *Reporting_DisablegenericrePorts* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections in non-critical failed state* +- GP name: *Reporting_NonCriticalTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ +**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure time out for detections in recently remediated state* +- GP name: *Reporting_RecentlyCleanedTimeout* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy configures Windows software trace preprocessor (WPP Software Tracing) components. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Windows software trace preprocessor components* +- GP name: *Reporting_WppTracingComponents* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). + +Tracing levels are defined as: + +- 1 - Error +- 2 - Warning +- 3 - Info +- 4 - Debug + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure WPP tracing level* +- GP name: *Reporting_WppTracingLevel* +- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not end users can pause a scan in progress. + +If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. + +If you disable this setting, users will not be able to pause scans. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow users to pause scan* +- GP name: *Scan_AllowPause* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. + +If you enable this setting, archive files will be scanned to the directory depth level specified. + +If you disable or do not configure this setting, archive files will be scanned to the default directory depth level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the maximum depth to scan archive files* +- GP name: *Scan_ArchiveMaxDepth* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. + +If you enable this setting, archive files less than or equal to the size specified will be scanned. + +If you disable or do not configure this setting, archive files will be scanned according to the default value. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the maximum size of archive files to be scanned* +- GP name: *Scan_ArchiveMaxSize* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. + +If you enable or do not configure this setting, archive files will be scanned. + +If you disable this setting, archive files will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan archive files* +- GP name: *Scan_DisableArchiveScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). + +If you enable this setting, e-mail scanning will be enabled. + +If you disable or do not configure this setting, e-mail scanning will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on e-mail scanning* +- GP name: *Scan_DisableEmailScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. + +If you enable or do not configure this setting, heuristics will be enabled. + +If you disable this setting, heuristics will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on heuristics* +- GP name: *Scan_DisableHeuristics* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. + +If you enable or do not configure this setting, packed executables will be scanned. + +If you disable this setting, packed executables will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan packed executables* +- GP name: *Scan_DisablePackedExeScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. + +If you enable this setting, removable drives will be scanned during any type of scan. + +If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan removable drives* +- GP name: *Scan_DisableRemovableDriveScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality. + +If you enable this setting, reparse point scanning will be enabled. + +If you disable or do not configure this setting, reparse point scanning will be disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on reparse point scanning* +- GP name: *Scan_DisableReparsePointScanning* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. + +If you enable this setting, a system restore point will be created. + +If you disable or do not configure this setting, a system restore point will not be created. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Create a system restore point* +- GP name: *Scan_DisableRestorePoint* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning mapped network drives. + +If you enable this setting, mapped network drives will be scanned. + +If you disable or do not configure this setting, mapped network drives will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Run full scan on mapped network drives* +- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. + +If you enable this setting, network files will be scanned. + +If you disable or do not configure this setting, network files will not be scanned. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Scan network files* +- GP name: *Scan_DisableScanningNetworkFiles* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for maximum percentage of CPU utilization* +- GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for the scan type to use for a scheduled scan* +- GP name: *Scan_LocalSettingOverrideScanParameters* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for schedule scan day* +- GP name: *Scan_LocalSettingOverrideScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for scheduled quick scan time* +- GP name: *Scan_LocalSettingOverrideScheduleQuickScantime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for scheduled scan time* +- GP name: *Scan_LocalSettingOverrideScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable low CPU priority for scheduled scans. + +If you enable this setting, low CPU priority will be used during scheduled scans. + +If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure low CPU priority for scheduled scans* +- GP name: *Scan_LowCpuPriority* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans. + +If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans. + +If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days after which a catch-up scan is forced* +- GP name: *Scan_MissedScheduledScanCountBeforeCatchup* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days. + +If you enable this setting, items will be removed from the scan history folder after the number of days specified. + +If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on removal of items from scan history folder* +- GP name: *Scan_PurgeItemsAfterDelay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0. + +If you enable this setting, a quick scan will run at the interval specified. + +If you disable or do not configure this setting, a quick scan will run at a default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the interval to run quick scans per day* +- GP name: *Scan_QuickScanInterval* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. + +If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. + +If you disable this setting, scheduled scans will run at the scheduled time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Start the scheduled scan only when computer is on but not in use* +- GP name: *Scan_ScanOnlyIfIdle* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: + +- (0x0) Every Day +- (0x1) Sunday +- (0x2) Monday +- (0x3) Tuesday +- (0x4) Wednesday +- (0x5) Thursday +- (0x6) Friday +- (0x7) Saturday +- (0x8) Never (default) + +If you enable this setting, a scheduled scan will run at the frequency specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default frequency. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the day of the week to run a scheduled scan* +- GP name: *Scan_ScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. + +If you enable this setting, a scheduled scan will run at the time of day specified. + +If you disable or do not configure this setting, a scheduled scan will run at a default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the time of day to run a scheduled scan* +- GP name: *Scan_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled. + +If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled. + +If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow antimalware service to remain running always* +- GP name: *ServiceKeepAlive* +- GP path: *Windows Components\Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. + +If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. + +If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days before spyware security intelligence is considered out of date* +- GP name: *SignatureUpdate_ASSignatureDue* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. + +If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update. + +If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days before virus security intelligence is considered out of date* +- GP name: *SignatureUpdate_AVSignatureDue* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default. + +If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define file shares for downloading security intelligence updates* +- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred. + +If you enable or do not configure this setting, a scan will start following a security intelligence update. + +If you disable this setting, a scan will not start following a security intelligence update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on scan after security intelligence update* +- GP name: *SignatureUpdate_DisableScanOnUpdate* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates when the computer is running on battery power. + +If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state. + +If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow security intelligence updates when running on battery power* +- GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present. + +If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present. + +If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Initiate security intelligence update on startup* +- GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”. + +For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } + +If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. + +If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the order of sources for downloading security intelligence updates* +- GP name: *SignatureUpdate_FallbackOrder* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. + +If you enable this setting, security intelligence updates will be downloaded from Microsoft Update. + +If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow security intelligence updates from Microsoft Update* +- GP name: *SignatureUpdate_ForceUpdateFromMU* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work. + +If you enable or do not configure this setting, real-time security intelligence updates will be enabled. + +If you disable this setting, real-time security intelligence updates will disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS* +- GP name: *SignatureUpdate_RealtimeSignatureDelivery* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all. + +This setting can be configured with the following ordinal number values: + +- (0x0) Every Day (default) +- (0x1) Sunday +- (0x2) Monday +- (0x3) Tuesday +- (0x4) Wednesday +- (0x5) Thursday +- (0x6) Friday +- (0x7) Saturday +- (0x8) Never + +If you enable this setting, the check for security intelligence updates will occur at the frequency specified. + +If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the day of the week to check for security intelligence updates* +- GP name: *SignatureUpdate_ScheduleDay* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. + +If you enable this setting, the check for security intelligence updates will occur at the time of day specified. + +If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify the time to check for security intelligence updates* +- GP name: *SignatureUpdate_ScheduleTime* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the security intelligence location for VDI-configured computers. + +If you disable or do not configure this setting, security intelligence will be referred from the default local source. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define security intelligence location for VDI clients.* +- GP name: *SignatureUpdate_SharedSignaturesLocation* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work. + +If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence. + +If you disable this setting, the antimalware service will not receive notifications to disable security intelligence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS* +- GP name: *SignatureUpdate_SignatureDisableNotification* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day. + +If you enable this setting, a catch-up security intelligence update will occur after the specified number of days. + +If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Define the number of days after which a catch-up security intelligence update is required* +- GP name: *SignatureUpdate_SignatureUpdateCatchupInterval* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup. + +If you enable this setting, a check for new security intelligence will occur after service startup. + +If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Check for the latest virus and spyware security intelligence on startup* +- GP name: *SignatureUpdate_UpdateOnStartup* +- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/SpynetReporting** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. + +You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. + +Possible options are: + +- (0x0) Disabled (default) +- (0x1) Basic membership +- (0x2) Advanced membership + +Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. + +Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. + +If you enable this setting, you will join Microsoft MAPS with the membership specified. + +If you disable or do not configure this setting, you will not join Microsoft MAPS. + +In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Join Microsoft MAPS* +- GP name: *SpynetReporting* +- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. + +If you enable this setting, the local preference setting will take priority over Group Policy. + +If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure local setting override for reporting to Microsoft MAPS* +- GP name: *Spynet_LocalSettingOverrideSpynetReporting* +- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS* +- GP ADMX file name: *WindowsDefender.admx* + + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. + +Valid remediation action values are: + +- 2 = Quarantine +- 3 = Remove +- 6 = Ignore + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify threats upon which default action should not be taken when detected* +- GP name: *Threats_ThreatIdDefaultAction* +- GP path: *Windows Components\Microsoft Defender Antivirus\Threats* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display. + +If you enable this setting, the additional text specified will be displayed. + +If you disable or do not configure this setting, there will be no additional text displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display additional text to clients when they need to perform an action* +- GP name: *UX_Configuration_CustomDefaultActionToastString* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. + +If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients. + +If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Suppress all notifications* +- GP name: *UX_Configuration_Notification_Suppress* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). + +If you enable this setting AM UI won't show reboot notifications. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Suppresses reboot notifications* +- GP name: *UX_Configuration_SuppressRebootNotification* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ + +**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display AM UI to the users. + +If you enable this setting AM UI won't be available to users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable headless UI mode* +- GP name: *UX_Configuration_UILockdown* +- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface* +- GP ADMX file name: *WindowsDefender.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md new file mode 100644 index 0000000000..97697da52b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -0,0 +1,568 @@ +--- +title: Policy CSP - ADMX_Programs +description: Policy CSP - ADMX_Programs +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Programs +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Programs policies + +
-
+
- + ADMX_Programs/NoDefaultPrograms + +
- + ADMX_Programs/NoGetPrograms + +
- + ADMX_Programs/NoInstalledUpdates + +
- + ADMX_Programs/NoProgramsAndFeatures + +
- + ADMX_Programs/NoProgramsCPL + +
- + ADMX_Programs/NoWindowsFeatures + +
- + ADMX_Programs/NoWindowsMarketplace + +
+ + +**ADMX_Programs/NoDefaultPrograms** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. + +The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations. + +If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users. + +This setting does not prevent users from using other tools and methods to change program access or defaults. + +This setting does not prevent the Default Programs icon from appearing on the Start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Set Program Access and Computer Defaults" page* +- GP name: *NoDefaultPrograms* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
+ + +**ADMX_Programs/NoGetPrograms** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from viewing or installing published programs from the network. + +This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them. + +Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users of their availability, to recommend their use, or to enable users to install them without having to search for installation files. + +If this setting is enabled, users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. + +If this setting is disabled or is not configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users. + +> [!NOTE] +> If the "Hide Programs Control Panel" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Get Programs" page* +- GP name: *NoGetPrograms* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
+ + +**ADMX_Programs/NoInstalledUpdates** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task. + +"Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers. + +If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users. + +This setting does not prevent users from using other tools and methods to install or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Installed Updates" page* +- GP name: *NoInstalledUpdates* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
+ + +**ADMX_Programs/NoProgramsAndFeatures** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer. + +If this setting is disabled or not configured, "Programs and Features" will be available to all users. + +This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Programs and Features" page* +- GP name: *NoProgramsAndFeatures* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
+ + +**ADMX_Programs/NoProgramsCPL** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. + +The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel. + +If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users. + +When enabled, this setting takes precedence over the other settings in this folder. + +This setting does not prevent users from using other tools and methods to install or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the Programs Control Panel* +- GP name: *NoProgramsCPL* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
+ + +**ADMX_Programs/NoWindowsFeatures** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services. + +If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users. + +This setting does not prevent users from using other tools and methods to configure services or enable or disable program components. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Windows Features"* +- GP name: *NoWindowsFeatures* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
+ + +**ADMX_Programs/NoWindowsMarketplace** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. + +Windows Marketplace allows users to purchase and/or download various programs to their computer for installation. + +Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods. + +If this feature is disabled or is not configured, the "Get new programs from Windows Marketplace" task link will be available to all users. + +> [!NOTE] +> If the "Hide Programs control Panel" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide "Windows Marketplace"* +- GP name: *NoWindowsMarketplace* +- GP path: *Control Panel\Programs* +- GP ADMX file name: *Programs.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md new file mode 100644 index 0000000000..42b649433b --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -0,0 +1,706 @@ +--- +title: Policy CSP - ADMX_SettingSync +description: Policy CSP - ADMX_SettingSync +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 12/01/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SettingSync +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_SettingSync policies + +
-
+
- + ADMX_SettingSync/DisableAppSyncSettingSync + +
- + ADMX_SettingSync/DisableApplicationSettingSync + +
- + ADMX_SettingSync/DisableCredentialsSettingSync + +
- + ADMX_SettingSync/DisableDesktopThemeSettingSync + +
- + ADMX_SettingSync/DisablePersonalizationSettingSync + +
- + ADMX_SettingSync/DisableSettingSync + +
- + ADMX_SettingSync/DisableStartLayoutSettingSync + +
- + ADMX_SettingSync/DisableSyncOnPaidNetwork + +
- + ADMX_SettingSync/DisableWindowsSettingSync + +
+ + +**ADMX_SettingSync/DisableAppSyncSettingSync** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "AppSync" group will not be synced. + +Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync Apps* +- GP name: *DisableAppSyncSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + +**ADMX_SettingSync/DisableApplicationSettingSync** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "app settings" group will not be synced. + +Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync app settings* +- GP name: *DisableApplicationSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + +**ADMX_SettingSync/DisableCredentialsSettingSync** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "passwords" group will not be synced. + +Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync passwords* +- GP name: *DisableCredentialsSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + +**ADMX_SettingSync/DisableDesktopThemeSettingSync** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "desktop personalization" group will not be synced. + +Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync desktop personalization* +- GP name: *DisableDesktopThemeSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + +**ADMX_SettingSync/DisablePersonalizationSettingSync** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "personalize" group will not be synced. + +Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync personalize* +- GP name: *DisablePersonalizationSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + +**ADMX_SettingSync/DisableSettingSync** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings. + +If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC. + +Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, "sync your settings" is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync* +- GP name: *DisableSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + +**ADMX_SettingSync/DisableStartLayoutSettingSync** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "Start layout" group will not be synced. + +Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync start settings* +- GP name: *DisableStartLayoutSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + +**ADMX_SettingSync/DisableSyncOnPaidNetwork** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings. + +If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection. + +If you do not set or disable this setting, syncing on metered connections is configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync on metered connections* +- GP name: *DisableSyncOnPaidNetwork* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
+ + +**ADMX_SettingSync/DisableWindowsSettingSync** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings. + +If you enable this policy setting, the "Other Windows settings" group will not be synced. + +Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled. + +If you do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not sync other Windows settings* +- GP name: *DisableWindowsSettingSync* +- GP path: *Windows Components\Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md new file mode 100644 index 0000000000..8e49043225 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -0,0 +1,120 @@ +--- +title: Policy CSP - ADMX_SystemRestore +description: Policy CSP - ADMX_SystemRestore +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_SystemRestore +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_SystemRestore policies + + + + +
+ + +**ADMX_SystemRestore/SR_DisableConfig** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. Allows you to disable System Restore configuration through System Protection. + +This policy setting allows you to turn off System Restore configuration through System Protection. + +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn off System Restore" policy setting. + +If you enable this policy setting, the option to configure System Restore through System Protection is disabled. + +If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection. + +Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Configuration* +- GP name: *SR_DisableConfig* +- GP path: *System\System Restore* +- GP ADMX file name: *SystemRestore.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md new file mode 100644 index 0000000000..863f094564 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -0,0 +1,489 @@ +--- +title: Policy CSP - ADMX_WPN +description: Policy CSP - ADMX_WPN +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 11/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WPN +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WPN policies + +
-
+
- + ADMX_WPN/NoCallsDuringQuietHours + +
- + ADMX_WPN/NoLockScreenToastNotification + +
- + ADMX_WPN/NoQuietHours + +
- + ADMX_WPN/NoToastNotification + +
- + ADMX_WPN/QuietHoursDailyBeginMinute + +
- + ADMX_WPN/QuietHoursDailyEndMinute + +
+ + +**ADMX_WPN/NoCallsDuringQuietHours** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting blocks voice and video calls during Quiet Hours. + +If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings. + +If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings. + +If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off calls during Quiet Hours* +- GP name: *NoCallsDuringQuietHours* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
+ + +**ADMX_WPN/NoLockScreenToastNotification** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications on the lock screen. + +If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. + +If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off toast notifications on the lock screen* +- GP name: *NoLockScreenToastNotification* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
+ + +**ADMX_WPN/NoQuietHours** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Quiet Hours functionality. + +If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. + +If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings. + +If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Quiet Hours* +- GP name: *NoQuietHours* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
+ + +**ADMX_WPN/NoToastNotification** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications for applications. + +If you enable this policy setting, applications will not be able to raise toast notifications. + +Note that this policy does not affect taskbar notification balloons. + +Note that Windows system features are not affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications. + +If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. + +No reboots or service restarts are required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off toast notifications* +- GP name: *NoToastNotification* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
+ + +**ADMX_WPN/QuietHoursDailyBeginMinute** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. + +If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. + +If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. + +If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the time Quiet Hours begins each day* +- GP name: *QuietHoursDailyBeginMinute* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
+ + +**ADMX_WPN/QuietHoursDailyEndMinute** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + |
+
| Business | + |
+
| Enterprise | + |
+
| Education | + |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. + +If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. + +If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting. + +If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the time Quiet Hours ends each day* +- GP name: *QuietHoursDailyEndMinute* +- GP path: *Start Menu and Taskbar\Notifications* +- GP ADMX file name: *WPN.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f9ae070935..79487e7cc2 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -185,9 +185,7 @@ ###### [Report on antivirus protection]() ###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md) ###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md) - -###### [Manage updates and apply baselines]() -###### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) +###### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md) ###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md) ###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md) ###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index f5e542e2f6..a0586d3024 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -14,10 +14,10 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 11/30/2020 +ms.date: 12/10/2020 --- -# Reduce attack surfaces with attack surface reduction rules +# Use attack surface reduction rules to prevent malware infection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -26,17 +26,17 @@ ms.date: 11/30/2020 * [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -## Overview +## Why attack surface reduction rules are important -Your attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. +Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help! -Attack surface reduction rules target certain software behaviors that are often abused by attackers. Such behaviors include: +Attack surface reduction rules target certain software behaviors, such as: - Launching executable files and scripts that attempt to download or run files; - Running obfuscated or otherwise suspicious scripts; and - Performing behaviors that apps don't usually initiate during normal day-to-day work. -Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe. +Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe. For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). @@ -44,7 +44,7 @@ For more information about configuring attack surface reduction rules, see [Enab You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). -:::image type="content" source="images/asrrecommendation.png" alt-text="Security recommendation for ASR rule"::: +:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule"::: In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity. @@ -52,9 +52,49 @@ In the recommendation details pane, check the user impact to determine what perc Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -## Notifications when a rule is triggered +## Warn mode for users -Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center. +(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. + +Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. + +### Requirements for warn mode to work + +Warn mode is supported on devices running the following versions of Windows: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later + +In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed +- Minimum platform release requirement: `4.18.2008.9` +- Minimum engine release requirement: `1.1.17400.5` + +For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform). + +### Cases where warn mode is not supported + +Warn mode is not supported for the following attack surface reduction rules: + +- [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`) +- [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`) +- [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`) + +In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode. + +## Notifications and alerts + +Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. + +In addition, when certain attack surface reduction rules are triggered, alerts are generated. + +Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)). + +## Advanced hunting and attack surface reduction events + +You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour. + +For example, suppose that an attack surface reduction event occurs on ten devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on ten devices), and its timestamp will be 2:15 PM. + +For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md). ## Attack surface reduction features across Windows versions @@ -93,7 +133,7 @@ You can review the Windows event log to view events generated by attack surface 5. Select **OK**. -This will create a custom view that filters events to only show the following, all of which are related to controlled folder access: +You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: |Event ID | Description | |---|---| @@ -105,25 +145,84 @@ The "engine version" listed for attack surface reduction events in the event log ## Attack surface reduction rules -The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: +The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. + +If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs. + | Rule name | GUID | File & folder exclusions | Minimum OS supported | -|-----|----|---|---| -|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|:-----|:-----:|:-----|:-----| +|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |`26190899-1602-49e8-8b27-eb1d0a1ce869` |Supported |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | +|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | + +### Block Adobe Reader from creating child processes + +This rule prevents attacks by blocking Adobe Reader from creating additional processes. + +Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. + +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: `Process creation from Adobe Reader (beta)` + +Configuration Manager name: Not yet available + +GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` + +### Block all Office applications from creating child processes + +This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access. + +Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Office apps launching child processes` + +Configuration Manager name: `Block Office application from creating child processes` + +GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` + +### Block credential stealing from the Windows local security authority subsystem + +This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). + +LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. + +> [!NOTE] +> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Flag credential stealing from the Windows local security authority subsystem` + +Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem` + +GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` ### Block executable content from email client and webmail @@ -138,35 +237,78 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) +Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)` -Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail +Microsoft Endpoint Configuration Manager name: `Block executable content from email client and webmail` GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` -### Block all Office applications from creating child processes +### Block executable files from running unless they meet a prevalence, age, or trusted list criterion -This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: -Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. +- Executable files (such as .exe, .dll, or .scr) + +Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. + +> [!IMPORTANT] +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly. +> +>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria` + +Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria` + +GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` + +### Block execution of potentially obfuscated scripts + +This rule detects suspicious properties within an obfuscated script. + +Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. + +This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps launching child processes +Intune name: `Obfuscated js/vbs/ps/macro code` -Configuration Manager name: Block Office application from creating child processes +Configuration Manager name: `Block execution of potentially obfuscated scripts` -GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` +GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` + +### Block JavaScript or VBScript from launching downloaded executable content + +This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. + +Although not common, line-of-business applications sometimes use scripts to download and launch installers. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)` + +Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content` + +GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` ### Block Office applications from creating executable content This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. - Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. +Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) @@ -174,9 +316,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager) -Intune name: Office apps/macros creating executable content +Intune name: `Office apps/macros creating executable content` -SCCM name: Block Office applications from creating executable content +SCCM name: `Block Office applications from creating executable content` GUID: `3B576869-A4EC-4529-8536-B80A7769E899` @@ -196,130 +338,50 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps injecting code into other processes (no exceptions) +Intune name: `Office apps injecting code into other processes (no exceptions)` -Configuration Manager name: Block Office applications from injecting code into other processes +Configuration Manager name: `Block Office applications from injecting code into other processes` GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` -### Block JavaScript or VBScript from launching downloaded executable content +### Block Office communication application from creating child processes -This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. +This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. -Although not common, line-of-business applications sometimes use scripts to download and launch installers. +This rule protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +> [!NOTE] +> This rule applies to Outlook and Outlook.com only. + +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: js/vbs executing payload downloaded from Internet (no exceptions) +Intune name: `Process creation from Office communication products (beta)` -Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content +Configuration Manager name: Not available -GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` +GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` -### Block execution of potentially obfuscated scripts +### Block persistence through WMI event subscription -This rule detects suspicious properties within an obfuscated script. - -Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Obfuscated js/vbs/ps/macro code - -Configuration Manager name: Block execution of potentially obfuscated scripts. - -GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` - -### Block Win32 API calls from Office macros - -This rule prevents VBA macros from calling Win32 APIs. - -Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Win32 imports from Office macro code - -Configuration Manager name: Block Win32 API calls from Office macros - -GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` - -### Block executable files from running unless they meet a prevalence, age, or trusted list criterion - -This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: - -- Executable files (such as .exe, .dll, or .scr) - -Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. +This rule prevents malware from abusing WMI to attain persistence on a device. > [!IMPORTANT] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. -> ->You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. +> File and folder exclusions don't apply to this attack surface reduction rule. + +Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) +- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) +- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) -Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. +Intune name: Not available -Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria +Configuration Manager name: Not available -GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` - -### Use advanced protection against ransomware - -This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. - -> [!NOTE] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Advanced ransomware protection - -Configuration Manager name: Use advanced protection against ransomware - -GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` - -### Block credential stealing from the Windows local security authority subsystem - -This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). - -LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. - -> [!NOTE] -> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Flag credential stealing from the Windows local security authority subsystem - -Configuration Manager name: Block credential stealing from the Windows local security authority subsystem - -GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` +GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` ### Block process creations originating from PSExec and WMI commands @@ -333,7 +395,7 @@ This rule was introduced in: - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Intune name: Process creation from PSExec and WMI commands +Intune name: `Process creation from PSExec and WMI commands` Configuration Manager name: Not applicable @@ -349,69 +411,50 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Untrusted and unsigned processes that run from USB +Intune name: `Untrusted and unsigned processes that run from USB` -Configuration Manager name: Block untrusted and unsigned processes that run from USB +Configuration Manager name: `Block untrusted and unsigned processes that run from USB` GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` -### Block Office communication application from creating child processes +### Block Win32 API calls from Office macros -This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. +This rule prevents VBA macros from calling Win32 APIs. -This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. +Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Win32 imports from Office macro code` + +Configuration Manager name: `Block Win32 API calls from Office macros` + +GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` + +### Use advanced protection against ransomware + +This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. > [!NOTE] -> This rule applies to Outlook and Outlook.com only. +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Process creation from Office communication products (beta) +Intune name: `Advanced ransomware protection` -Configuration Manager name: Not yet available +Configuration Manager name: `Use advanced protection against ransomware` -GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` +GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` -### Block Adobe Reader from creating child processes - -This rule prevents attacks by blocking Adobe Reader from creating additional processes. - -Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. - -This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from Adobe Reader (beta) - -Configuration Manager name: Not yet available - -GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` - -### Block persistence through WMI event subscription - -This rule prevents malware from abusing WMI to attain persistence on a device. - -> [!IMPORTANT] -> File and folder exclusions don't apply to this attack surface reduction rule. - -Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. - -This rule was introduced in: -- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) -- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) - -Intune name: Not yet available - -Configuration Manager name: Not yet available - -GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` - -## Related topics +## See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 38ec7959c3..aa7a4c498f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -50,6 +50,11 @@ Starting in Configuration Manager version 2002, you can onboard the following op - Windows Server 2016, version 1803 or later - Windows Server 2019 +>[!NOTE] +>For more information on how to onboard Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, see, [Onboard Windows servers](configure-server-endpoints.md). + + + ### Onboard devices using System Center Configuration Manager diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 272d1480ec..80ec62a312 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 11/05/2020 +ms.date: 12/10/2020 ms.reviewer: v-maave manager: dansimp ms.custom: asr @@ -28,7 +28,7 @@ ms.custom: asr ## What is controlled folder access? -Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices). +Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). @@ -36,19 +36,41 @@ Controlled folder access works best with [Microsoft Defender for Endpoint](../mi Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. -Controlled folder access works with a list of trusted software. If an app is included in the list of trusted software, the app works as expected. If not, the app is blocked from making any changes to files that are inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list. +Controlled folder access works with a list of trusted apps. If an app is included in the list of trusted software, it works as expected. If not, the app is prevented from making any changes to files that are inside protected folders. -Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console. +Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically. + +Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. + +## Why controlled folder access is important Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. +Controlled folder access is supported on the following versions of Windows: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) and later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -## Requirements +## Windows system folders are protected by default + +Windows system folders are protected by default, along with several other folders: + +- `c:\Users\
- Microsoft Defender Antivirus
- Manual response actions | - Isolate device
- Restrict code execution
- Quarantine a file
- Remove a registry key
- Stop a service
- Disable a driver
- Remove a scheduled task | + +### To undo multiple actions at one time + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. + +2. On the **History** tab, select the actions that you want to undo. + +3. In the pane on the right side of the screen, select **Undo**. + +### To remove a file from quarantine across multiple devices + + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. + +2. On the **History** tab, select a file that has the Action type **Quarantine file**. + +  + +3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. + +  + ## Next steps - [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)