From b74a41aa5209232bd45c956b875674094acf337a Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 20 Oct 2020 17:01:00 -0700 Subject: [PATCH 01/37] added content --- .../mdm/policy-csp-admx-bits.md | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-bits.md diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md new file mode 100644 index 0000000000..96a81a6e58 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -0,0 +1,119 @@ +--- +title: Policy CSP - ADMX_Bits +description: Policy CSP - ADMX_Bits +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/20/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Bits +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Bits policies + +
+
+ ADMX_Bits/IncludeCmdLine +
+
+ + +
+ + +**ADMX_AuditSettings/IncludeCmdLine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. + +If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. + +If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. + +Default is Not configured. + +> [!NOTE] +> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Include command line in process creation events* +- GP name: *IncludeCmdLine* +- GP path: *System/Audit Process Creation* +- GP ADMX file name: *AuditSettings.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From ffff4cf5772e245a48ab0043bf6b2ffcdf4839c8 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 21 Oct 2020 10:32:48 -0700 Subject: [PATCH 02/37] Added policies --- .../mdm/policy-csp-admx-bits.md | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 96a81a6e58..c4a92baec1 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -23,7 +23,46 @@ manager: dansimp
- ADMX_Bits/IncludeCmdLine + ADMX_Bits/BITS_DisableBranchCache +
+
+ ADMX_Bits/BITS_DisablePeercachingClient +
+
+ ADMX_Bits/BITS_DisablePeercachingServer +
+
+ ADMX_Bits/BITS_EnablePeercaching +
+
+ ADMX_Bits/BITS_MaxBandwidthServedForPeers +
+
+ ADMX_Bits/BITS_MaxBandwidthV2_Maintenance +
+
+ ADMX_Bits/BITS_MaxBandwidthV2_Work +
+
+ ADMX_Bits/BITS_MaxCacheSize +
+
+ ADMX_Bits/BITS_MaxContentAge +
+
+ ADMX_Bits/BITS_MaxDownloadTime +
+
+ ADMX_Bits/BITS_MaxFilesPerJob +
+
+ ADMX_Bits/BITS_MaxJobsPerMachine +
+
+ ADMX_Bits/BITS_MaxJobsPerUser +
+
+ ADMX_Bits/BITS_MaxRangesPerFile
From 914da70c866aad5a2172c8c1899caf37fc38cb54 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 21 Oct 2020 15:03:38 -0700 Subject: [PATCH 03/37] Added ADMX_Bits policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 14 + .../policy-configuration-service-provider.md | 48 + .../mdm/policy-csp-admx-bits.md | 965 +++++++++++++++++- 4 files changed, 1017 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index adc08ab268..23d7fa91f2 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -174,6 +174,7 @@ #### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) +#### [ADMX_Bits](policy-csp-admx-bits.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) #### [ADMX_COM](policy-csp-admx-com.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index a26052c419..e7d26b7d56 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -42,6 +42,20 @@ ms.date: 10/08/2020 - [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) - [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) - [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) +- [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache) +- [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient) +- [ADMX_Bits/BITS_DisablePeercachingServer](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingserver) +- [ADMX_Bits/BITS_EnablePeercaching](./policy-csp-admx-bits.md#admx-bits-bits-enablepeercaching) +- [ADMX_Bits/BITS_MaxBandwidthServedForPeers](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthservedforpeers) +- [ADMX_Bits/BITS_MaxBandwidthV2_Maintenance](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-maintenance) +- [ADMX_Bits/BITS_MaxBandwidthV2_Work](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-work) +- [ADMX_Bits/BITS_MaxCacheSize](./policy-csp-admx-bits.md#admx-bits-bits-maxcachesize) +- [ADMX_Bits/BITS_MaxContentAge](./policy-csp-admx-bits.md#admx-bits-bits-maxcontentage) +- [ADMX_Bits/BITS_MaxDownloadTime](./policy-csp-admx-bits.md#admx-bits-bits-maxdownloadtime) +- [ADMX_Bits/BITS_MaxFilesPerJob](./policy-csp-admx-bits.md#admx-bits-bits-maxfilesperjob) +- [ADMX_Bits/BITS_MaxJobsPerMachine](./policy-csp-admx-bits.md#admx-bits-bits-maxjobspermachine) +- [ADMX_Bits/BITS_MaxJobsPerUser](./policy-csp-admx-bits.md#admx-bits-bits-maxjobsperuser) +- [ADMX_Bits/BITS_MaxRangesPerFile](./policy-csp-admx-bits.md#admx-bits-bits-maxrangesperfile) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index ec0aca468f..36abe447bb 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -245,6 +245,54 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_Bits policies + +
+
+ ADMX_Bits/BITS_DisableBranchCache +
+
+ ADMX_Bits/BITS_DisablePeercachingClient +
+
+ ADMX_Bits/BITS_DisablePeercachingServer +
+
+ ADMX_Bits/BITS_EnablePeercaching +
+
+ ADMX_Bits/BITS_MaxBandwidthServedForPeers +
+
+ ADMX_Bits/BITS_MaxBandwidthV2_Maintenance +
+
+ ADMX_Bits/BITS_MaxBandwidthV2_Work +
+
+ ADMX_Bits/BITS_MaxCacheSize +
+
+ ADMX_Bits/BITS_MaxContentAge +
+
+ ADMX_Bits/BITS_MaxDownloadTime +
+
+ ADMX_Bits/BITS_MaxFilesPerJob +
+
+ ADMX_Bits/BITS_MaxJobsPerMachine +
+
+ ADMX_Bits/BITS_MaxJobsPerUser +
+
+ ADMX_Bits/BITS_MaxRangesPerFile +
+
+ + ### ADMX_Cpls policies
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index c4a92baec1..b5f4b7b748 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -70,7 +70,7 @@ manager: dansimp
-**ADMX_AuditSettings/IncludeCmdLine** +**ADMX_Bits/BITS_DisableBranchCache** @@ -113,16 +113,86 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. +Available in the latest Windows 10 Insider Preview Build. This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default. -If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. +If you enable this policy setting, the BITS client does not use Windows Branch Cache. -If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. - -Default is Not configured. +If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache. > [!NOTE] -> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. +> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow the BITS client to use Windows Branch Cache* +- GP name: *BITS_DisableBranchCache* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_DisablePeercachingClient** + + +
+ + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). + +If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers. + +If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server. + +> [!NOTE] +> This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. > [!TIP] @@ -134,10 +204,883 @@ Default is Not configured. ADMX Info: -- GP English name: *Include command line in process creation events* -- GP name: *IncludeCmdLine* -- GP path: *System/Audit Process Creation* -- GP ADMX file name: *AuditSettings.admx* +- GP English name: *Do not allow the computer to act as a BITS Peercaching client* +- GP name: *BITS_DisablePeercachingClient* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_DisablePeercachingServer** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers). + +If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers. + +If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers. + +> [!NOTE] +> This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow the computer to act as a BITS Peercaching server* +- GP name: *BITS_DisablePeercachingServer* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + +
+ + +**ADMX_Bits/BITS_EnablePeercaching** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. + +If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server. + +If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. + +If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow BITS Peercaching* +- GP name: *BITS_EnablePeercaching* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + +
+ + +**ADMX_Bits/BITS_MaxBandwidthServedForPeers** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server). + +To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps. + +You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching. + +If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching. + +If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used. + +> [!NOTE] +> This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum network bandwidth used for Peercaching* +- GP name: *BITS_MaxBandwidthServedForPeers* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxBandwidthV2_Maintenance** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers. + +If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period. + +You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. + +If you disable or do not configure this policy setting, the limits defined for work or non-work schedules will be used. + +> [!NOTE] +> The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers* +- GP name: *BITS_MaxBandwidthV2_Maintenance* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + +
+ + +**ADMX_Bits/BITS_MaxBandwidthV2_Work** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours. + +If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low. + +You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for non-work hours. + +If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers* +- GP name: *BITS_MaxBandwidthV2_Work* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + + +
+ + +**ADMX_Bits/BITS_MaxCacheSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache. + +If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. + +If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size. + +> [!NOTE] +> This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the BITS Peercache size* +- GP name: *BITS_MaxCacheSize* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxContentAge** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not been accessed in the past 90 days. + +If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. + +If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache. + +> [!NOTE] +> This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the age of files in the BITS Peercache* +- GP name: *BITS_MaxContentAge* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxDownloadTime** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. + +The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state. + +By default BITS uses a maximum download time of 90 days (7,776,000 seconds). + +If you enable this policy setting, you can set the maximum job download time to a specified number of seconds. + +If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum BITS job download time* +- GP name: *BITS_MaxDownloadTime* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxFilesPerJob** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. + +If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number. + +If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain. + +> [!NOTE] +> BITS Jobs created by services and the local administrator account do not count toward this limit. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum number of files allowed in a BITS job* +- GP name: *BITS_MaxFilesPerJob* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxJobsPerMachine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs. + +If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number. + +If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs. + +> [!NOTE] +> BITS jobs created by services and the local administrator account do not count toward this limit. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum number of BITS jobs for this computer* +- GP name: *BITS_MaxJobsPerMachine* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxJobsPerUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create. + +If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number. + +If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs. + +> [!NOTE] +> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum number of BITS jobs for each user* +- GP name: *BITS_MaxJobsPerUser* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* + + + +
+ + +**ADMX_Bits/BITS_MaxRangesPerFile** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. + +If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number. + +If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file. + +> [!NOTE] +> BITS Jobs created by services and the local administrator account do not count toward this limit. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the maximum number of ranges that can be added to the file in a BITS job* +- GP name: *BITS_MaxRangesPerFile* +- GP path: *Network\Background Intelligent Transfer Service (BITS)* +- GP ADMX file name: *Bits.admx* From 5dccbc972ae9732d954f3187eb3db54c65f94f69 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 22 Oct 2020 13:45:09 -0700 Subject: [PATCH 04/37] Added networkconnections ADMX-backed policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 27 + .../policy-configuration-service-provider.md | 86 + .../mdm/policy-csp-admx-networkconnections.md | 2199 +++++++++++++++++ 4 files changed, 2313 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-networkconnections.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 318c9478e2..3d854f3d2e 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -199,6 +199,7 @@ #### [ADMX_nca](policy-csp-admx-nca.md) #### [ADMX_NCSI](policy-csp-admx-ncsi.md) #### [ADMX_Netlogon](policy-csp-admx-netlogon.md) +#### [ADMX_NetworkConnections](policy-csp-admx-networkconnections.md) #### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md) #### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md) #### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index e7d26b7d56..33601d8c10 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -186,6 +186,33 @@ ms.date: 10/08/2020 - [ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode) - [ADMX_Netlogon/Netlogon_TryNextClosestSite](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite) - [ADMX_Netlogon/Netlogon_UseDynamicDns](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns) +- [ADMX_NetworkConnections/NC_AddRemoveComponents](./policy-csp-admx-networkconnections.md./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-addremovecomponents) +- [ADMX_NetworkConnections/NC_AdvancedSettings](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-advancedsettings) +- [ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-allowadvancedtcpipconfig) +- [ADMX_NetworkConnections/NC_ChangeBindState](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-changebindstate) +- [ADMX_NetworkConnections/NC_DeleteAllUserConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deletealluserconnection) +- [ADMX_NetworkConnections/NC_DeleteConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deleteconnection) +- [ADMX_NetworkConnections/NC_DialupPrefs](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-dialupprefs) +- [ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-donotshowlocalonlyicon) +- [ADMX_NetworkConnections/NC_EnableAdminProhibits](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-enableadminprohibits) +- [ADMX_NetworkConnections/NC_ForceTunneling](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-forcetunneling) +- [ADMX_NetworkConnections/NC_IpStateChecking](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-ipstatechecking) +- [ADMX_NetworkConnections/NC_LanChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanchangeproperties) +- [ADMX_NetworkConnections/NC_LanConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanconnect) +- [ADMX_NetworkConnections/NC_LanProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanproperties) +- [ADMX_NetworkConnections/NC_NewConnectionWizard](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-newconnectionwizard) +- [ADMX_NetworkConnections/NC_PersonalFirewallConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-personalfirewallconfig) +- [ADMX_NetworkConnections/NC_RasAllUserProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasalluserproperties) +- [ADMX_NetworkConnections/NC_RasChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-raschangeproperties) +- [ADMX_NetworkConnections/NC_RasConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasconnect) +- [ADMX_NetworkConnections/NC_RasMyProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasmyproperties) +- [ADMX_NetworkConnections/NC_RenameAllUserRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamealluserrasconnection) +- [ADMX_NetworkConnections/NC_RenameConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renameconnection) +- [ADMX_NetworkConnections/NC_RenameLanConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamelanconnection) +- [ADMX_NetworkConnections/NC_RenameMyRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamemyrasconnection) +- [ADMX_NetworkConnections/NC_ShowSharedAccessUI](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-showsharedaccessui) +- [ADMX_NetworkConnections/NC_Statistics](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-statistics) +- [ADMX_NetworkConnections/NC_StdDomainUserSetLocation](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-stddomainusersetlocation) - [ADMX_OfflineFiles/Pol_AlwaysPinSubFolders](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-alwayspinsubfolders) - [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-1) - [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-2) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 4b7f1c4669..f87ad5c5a8 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -769,6 +769,92 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_NetworkConnections policies + +
+
+ ADMX_NetworkConnections/NC_AddRemoveComponents +
+
+ ADMX_NetworkConnections/NC_AdvancedSettings +
+
+ ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig +
+
+ ADMX_NetworkConnections/NC_ChangeBindState +
+
+ ADMX_NetworkConnections/NC_DeleteAllUserConnection +
+
+ ADMX_NetworkConnections/NC_DeleteConnection +
+
+ ADMX_NetworkConnections/NC_DialupPrefs +
+
+ ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon +
+
+ ADMX_NetworkConnections/NC_EnableAdminProhibits +
+
+ ADMX_NetworkConnections/NC_ForceTunneling +
+
+ ADMX_NetworkConnections/NC_IpStateChecking +
+
+ ADMX_NetworkConnections/NC_LanChangeProperties +
+
+ ADMX_NetworkConnections/NC_LanConnect +
+
+ ADMX_NetworkConnections/NC_LanProperties +
+
+ ADMX_NetworkConnections/NC_NewConnectionWizard +
+
+ ADMX_NetworkConnections/NC_PersonalFirewallConfig +
+
+ ADMX_NetworkConnections/NC_RasAllUserProperties +
+
+ ADMX_NetworkConnections/NC_RasChangeProperties +
+
+ ADMX_NetworkConnections/NC_RasConnect +
+
+ ADMX_NetworkConnections/NC_RasMyProperties +
+
+ ADMX_NetworkConnections/NC_RenameAllUserRasConnection +
+
+ ADMX_NetworkConnections/NC_RenameConnection +
+
+ ADMX_NetworkConnections/NC_RenameLanConnection +
+
+ ADMX_NetworkConnections/NC_RenameMyRasConnection +
+
+ ADMX_NetworkConnections/NC_ShowSharedAccessUI +
+
+ ADMX_NetworkConnections/NC_Statistics +
+
+ ADMX_NetworkConnections/NC_StdDomainUserSetLocation +
+
+ ### ADMX_OfflineFiles policies
diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md new file mode 100644 index 0000000000..fc26c1d0f5 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -0,0 +1,2199 @@ +--- +title: Policy CSP - ADMX_NetworkConnections +description: Policy CSP - ADMX_NetworkConnections +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/21/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_NetworkConnections + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_NetworkConnections policies + +
+
+ ADMX_NetworkConnections/NC_AddRemoveComponents +
+
+ ADMX_NetworkConnections/NC_AdvancedSettings +
+
+ ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig +
+
+ ADMX_NetworkConnections/NC_ChangeBindState +
+
+ ADMX_NetworkConnections/NC_DeleteAllUserConnection +
+
+ ADMX_NetworkConnections/NC_DeleteConnection +
+
+ ADMX_NetworkConnections/NC_DialupPrefs +
+
+ ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon +
+
+ ADMX_NetworkConnections/NC_EnableAdminProhibits +
+
+ ADMX_NetworkConnections/NC_ForceTunneling +
+
+ ADMX_NetworkConnections/NC_IpStateChecking +
+
+ ADMX_NetworkConnections/NC_LanChangeProperties +
+
+ ADMX_NetworkConnections/NC_LanConnect +
+
+ ADMX_NetworkConnections/NC_LanProperties +
+
+ ADMX_NetworkConnections/NC_NewConnectionWizard +
+
+ ADMX_NetworkConnections/NC_PersonalFirewallConfig +
+
+ ADMX_NetworkConnections/NC_RasAllUserProperties +
+
+ ADMX_NetworkConnections/NC_RasChangeProperties +
+
+ ADMX_NetworkConnections/NC_RasConnect +
+
+ ADMX_NetworkConnections/NC_RasMyProperties +
+
+ ADMX_NetworkConnections/NC_RenameAllUserRasConnection +
+
+ ADMX_NetworkConnections/NC_RenameConnection +
+
+ ADMX_NetworkConnections/NC_RenameLanConnection +
+
+ ADMX_NetworkConnections/NC_RenameMyRasConnection +
+
+ ADMX_NetworkConnections/NC_ShowSharedAccessUI +
+
+ ADMX_NetworkConnections/NC_Statistics +
+
+ ADMX_NetworkConnections/NC_StdDomainUserSetLocation +
+
+ + +
+ + +**ADMX_NetworkConnections/NC_AddRemoveComponents** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard. + +The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (above the button). + +The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General tab for LAN connections and on the Networking tab for remote access connections. + +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked. +> +> Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit adding and removing components for a LAN or remote access connection* +- GP name: *NC_AddRemoveComponents* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_AdvancedSettings** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. + +The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disabled for administrators. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators. + +> [!NOTE] +> Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to the Advanced Settings item on the Advanced menu* +- GP name: *NC_AdvancedSettings* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can configure advanced TCP/IP settings. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box. + +This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration. + +Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off. + +> [!NOTE] +> Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting. + +> [!TIP] +> To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit TCP/IP advanced configuration* +- GP name: *NC_AllowAdvancedTCPIPConfig* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_ChangeBindState** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting Determines whether administrators can enable and disable the components used by LAN connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component. + +> [!NOTE] +> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection. +> +> Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit Enabling/Disabling components of a LAN connection* +- GP name: *NC_ChangeBindState* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_DeleteAllUserConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can delete all user remote access connections. + +To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. + +If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection. + +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.) + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you do not configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections. + +When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored. + +> [!NOTE] +> LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to delete all user remote access connections* +- GP name: *NC_DeleteAllUserConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_DeleteConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can delete remote access connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.) + +When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored. + +> [!NOTE] +> LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit deletion of remote access connections* +- GP name: *NC_DeleteConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_DialupPrefs** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled. + +The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to the Remote Access Preferences item on the Advanced menu* +- GP name: *NC_DialupPrefs* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether or not the "local access only" network icon will be shown. + +When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. + +If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not show the "local access only" network icon* +- GP name: *NC_DoNotShowLocalOnlyIcon* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_EnableAdminProhibits** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. + +The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. + +By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators. + +If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators. + +If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators. + +> [!NOTE] +> This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Windows 2000 Network Connections settings for Administrators* +- GP name: *NC_EnableAdminProhibits* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_ForceTunneling** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. + +When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. + +If you enable this policy setting, all traffic between a remote client computer running DirectAccess and the Internet is routed through the internal network. + +If you disable this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. + +If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Route all traffic through the internal network* +- GP name: *NC_ForceTunneling* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_IpStateChecking** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. + +If you enable this policy setting, this condition will not be reported as an error to the user. + +If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off notifications when a connection has only limited or no connectivity* +- GP name: *NC_IpStateChecking* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_LanChangeProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. + +This setting determines whether the Properties button for components of a LAN connection is enabled. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Administrators" setting. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Properties button is enabled for administrators and Network Configuration Operators. + +The Local Area Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. + +> [!NOTE] +> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. +> +> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connection components. +> +> Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users. +> +> Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to properties of components of a LAN connection* +- GP name: *NC_LanChangeProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_LanConnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can enable/disable LAN connections. + +If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. + +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you do not configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections. + +> [!NOTE] +> Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to Enable/Disable a LAN connection* +- GP name: *NC_LanConnect* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_LanProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can change the properties of a LAN connection. + +This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu. + +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users. +> +> Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to properties of a LAN connection* +- GP name: *NC_LanProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_NewConnectionWizard** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard. + +> [!NOTE] +> Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to the New Connection Wizard* +- GP name: *NC_NewConnectionWizard* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_PersonalFirewallConfig** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. + +Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. + +> [!IMPORTANT] +> This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply. + +The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats. + +If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled. + +If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2. + +If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit use of Internet Connection Firewall on your DNS domain network* +- GP name: *NC_PersonalFirewallConfig* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RasAllUserProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. + +To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. + +This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box is available to users. + +If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu. + +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and users (including administrators) cannot open the remote access connection properties dialog box. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you do not configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections. + +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to change properties of an all user remote access connection* +- GP name: *NC_RasAllUserProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RasChangeProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. + +This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Properties button is enabled for all users. + +The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list. + +> [NOTE] +> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled. +> +> When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit access to properties of components of a remote access connection* +- GP name: *NC_RasChangeProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RasConnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can connect and disconnect remote access connections. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit connecting and disconnecting a remote access connection* +- GP name: *NC_RasConnect* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RasMyProperties** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can view and change the properties of their private remote access connections. + +Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. + +This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box for a private connection is available to users. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu. + +> [!NOTE] +> This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit changing properties of a private remote access connection* +- GP name: *NC_RasMyProperties* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RenameAllUserRasConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether nonadministrators can rename all-user remote access connections. + +To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. + +If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu. + +If you disable this setting, the Rename option is disabled for nonadministrators only. + +If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections. + +> [!NOTE] +> This setting does not apply to Administrators. + +When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting does not apply. + +This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to rename all user remote access connections* +- GP name: *NC_RenameAllUserRasConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RenameConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting Determines whether users can rename LAN or all user remote access connections. + +If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. + +If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option for LAN and all user remote access connections is disabled for all users (including Administrators and Network Configuration Operators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If this setting is not configured, only Administrators and Network Configuration Operators have the right to rename LAN or all user remote access connections. + +> [!NOTE] +> When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings. +> +> This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to rename LAN connections or remote access connections available to all users* +- GP name: *NC_RenameConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RenameLanConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether nonadministrators can rename a LAN connection. + +If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. + +If you disable this setting, the Rename option is disabled for nonadministrators only. + +If you do not configure this setting, only Administrators and Network Configuration Operators can rename LAN connections + +> [!NOTE] +> This setting does not apply to Administrators. + +When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Ability to rename LAN connections* +- GP name: *NC_RenameLanConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_RenameMyRasConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can rename their private remote access connections. + +Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. + +If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all users (including administrators). + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu. + +> [!NOTE] +> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit renaming private remote access connections* +- GP name: *NC_RenameMyRasConnection* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_ShowSharedAccessUI** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. + +ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. + +If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled. + +If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.) + +By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS. + +> [!NOTE] +> Internet Connection Sharing is only available when two or more network connections are present. + +When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked. + +Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting. + +Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit use of Internet Connection Sharing on your DNS domain network* +- GP name: *NC_ShowSharedAccessUI* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_Statistics** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can view the status for an active connection. + +Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection. + +If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties dialog box. + +If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers. + +If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prohibit viewing of status for an active connection* +- GP name: *NC_Statistics* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ + +**ADMX_NetworkConnections/NC_StdDomainUserSetLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether to require domain users to elevate when setting a network's location. + +If you enable this policy setting, domain users must elevate when setting a network's location. + +If you disable or do not configure this policy setting, domain users can set a network's location without elevating. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require domain users to elevate when setting a network's location* +- GP name: *NC_StdDomainUserSetLocation* +- GP path: *Network\Network Connections* +- GP ADMX file name: *NetworkConnections.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From 841672a23c709dd10c35597a823c84f33f44d3cb Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 22 Oct 2020 13:56:16 -0700 Subject: [PATCH 05/37] Fixed broken link --- .../client-management/mdm/policies-in-policy-csp-admx-backed.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 33601d8c10..d20b416f31 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -186,7 +186,7 @@ ms.date: 10/08/2020 - [ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode) - [ADMX_Netlogon/Netlogon_TryNextClosestSite](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite) - [ADMX_Netlogon/Netlogon_UseDynamicDns](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns) -- [ADMX_NetworkConnections/NC_AddRemoveComponents](./policy-csp-admx-networkconnections.md./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-addremovecomponents) +- [ADMX_NetworkConnections/NC_AddRemoveComponents](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-addremovecomponents) - [ADMX_NetworkConnections/NC_AdvancedSettings](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-advancedsettings) - [ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-allowadvancedtcpipconfig) - [ADMX_NetworkConnections/NC_ChangeBindState](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-changebindstate) From ab9a8ce9ad2279b5a6209fb636f5431af770b32c Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 22 Oct 2020 15:15:51 -0700 Subject: [PATCH 06/37] Added ADMX_Sensors policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 5 + .../policy-configuration-service-provider.md | 20 + .../mdm/policy-csp-admx-networkconnections.md | 54 +-- .../mdm/policy-csp-admx-sensors.md | 401 ++++++++++++++++++ 5 files changed, 454 insertions(+), 27 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-sensors.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 3d854f3d2e..d26fe35e20 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -207,6 +207,7 @@ #### [ADMX_Scripts](policy-csp-admx-scripts.md) #### [ADMX_sdiageng](policy-csp-admx-sdiageng.md) #### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md) +#### [ADMX_Sensors](policy-csp-admx-sensors.md) #### [ADMX_Servicing](policy-csp-admx-servicing.md) #### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md) #### [ADMX_Sharing](policy-csp-admx-sharing.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index d20b416f31..0272022007 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -292,6 +292,11 @@ ms.date: 10/08/2020 - [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) - [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) - [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) +- [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) +- [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) +- [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) +- [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) +- [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) - [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots) - [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f87ad5c5a8..a0c7d8db35 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1126,6 +1126,26 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_Sensors policies + +
+
+ ADMX_Sensors/DisableLocationScripting_1 +
+
+ ADMX_Sensors/DisableLocationScripting_2 +
+
+ ADMX_Sensors/DisableLocation_1 +
+
+ ADMX_Sensors/DisableSensors_1 +
+
+ ADMX_Sensors/DisableSensors_2 +
+
+ ### ADMX_Servicing policies
diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index fc26c1d0f5..c9677897bc 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -153,7 +153,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard. @@ -233,7 +233,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers. @@ -309,7 +309,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can configure advanced TCP/IP settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can configure advanced TCP/IP settings. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information. @@ -390,7 +390,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting Determines whether administrators can enable and disable the components used by LAN connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether administrators can enable and disable the components used by LAN connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses. @@ -466,7 +466,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can delete all user remote access connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete all user remote access connections. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -548,7 +548,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can delete remote access connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete remote access connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder. @@ -628,7 +628,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled. The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. @@ -701,7 +701,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether or not the "local access only" network icon will be shown. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether or not the "local access only" network icon will be shown. When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. @@ -770,7 +770,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators. The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators. @@ -846,7 +846,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway. @@ -919,7 +919,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved. If you enable this policy setting, this condition will not be reported as an error to the user. @@ -988,7 +988,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. This setting determines whether the Properties button for components of a LAN connection is enabled. @@ -1072,7 +1072,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can enable/disable LAN connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can enable/disable LAN connections. If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu. @@ -1148,7 +1148,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can change the properties of a LAN connection. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. @@ -1226,7 +1226,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can use the New Connection Wizard, which creates new network connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. @@ -1302,7 +1302,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits use of Internet Connection Firewall on your DNS domain network. Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer. @@ -1380,7 +1380,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1462,7 +1462,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection. This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled. @@ -1544,7 +1544,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can connect and disconnect remote access connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can connect and disconnect remote access connections. If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators). @@ -1615,7 +1615,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can view and change the properties of their private remote access connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. @@ -1695,7 +1695,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether nonadministrators can rename all-user remote access connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename all-user remote access connections. To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option. @@ -1775,7 +1775,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting Determines whether users can rename LAN or all user remote access connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether users can rename LAN or all user remote access connections. If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu. @@ -1853,7 +1853,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether nonadministrators can rename a LAN connection. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename a LAN connection. If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu. @@ -1929,7 +1929,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can rename their private remote access connections. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can rename their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option. @@ -2005,7 +2005,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network. @@ -2087,7 +2087,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether users can view the status for an active connection. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view the status for an active connection. Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection. @@ -2160,7 +2160,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether to require domain users to elevate when setting a network's location. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md new file mode 100644 index 0000000000..00ff56dafe --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -0,0 +1,401 @@ +--- +title: Policy CSP - ADMX_Sensors +description: Policy CSP - ADMX_Sensors +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/22/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Sensors +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Sensors policies + +
+
+ ADMX_Sensors/DisableLocationScripting_1 +
+
+ ADMX_Sensors/DisableLocationScripting_2 +
+
+ ADMX_Sensors/DisableLocation_1 +
+
+ ADMX_Sensors/DisableSensors_1 +
+
+ ADMX_Sensors/DisableSensors_2 +
+
+ + +
+ + +**ADMX_Sensors/DisableLocationScripting_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature. + +If you enable this policy setting, scripts for the location feature will not run. + +If you disable or do not configure this policy setting, all location scripts will run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off location scripting* +- GP name: *DisableLocationScripting_1* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ + +**ADMX_Sensors/DisableLocationScripting_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature. + +If you enable this policy setting, scripts for the location feature will not run. + +If you disable or do not configure this policy setting, all location scripts will run. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off location scripting* +- GP name: *DisableLocationScripting_2* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ + +**ADMX_Sensors/DisableLocation_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the location feature for this computer. + +If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. + +If you disable or do not configure this policy setting, all programs on this computer will not be prevented from using location information from the location feature. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off location* +- GP name: *DisableLocation_1* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ + +**ADMX_Sensors/DisableSensors_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer. + +If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. + +If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off sensors* +- GP name: *DisableSensors_1* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ + +**ADMX_Sensors/DisableSensors_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer. + +If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. + +If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off sensors* +- GP name: *DisableSensors_2* +- GP path: *Windows Components\Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From 42792eaf7500734ca05573627ce8a259b7abee7a Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 22 Oct 2020 16:20:49 -0700 Subject: [PATCH 07/37] Added ADMX_WCM policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 3 + .../policy-configuration-service-provider.md | 14 + .../mdm/policy-csp-admx-wcm.md | 272 ++++++++++++++++++ 4 files changed, 290 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-wcm.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index d26fe35e20..e4d03174c6 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -219,6 +219,7 @@ #### [ADMX_TPM](policy-csp-admx-tpm.md) #### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) #### [ADMX_W32Time](policy-csp-admx-w32time.md) +#### [ADMX_WCM](policy-csp-admx-wcm.md) #### [ADMX_WinCal](policy-csp-admx-wincal.md) #### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md) #### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 0272022007..36a06c412f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -480,6 +480,9 @@ ms.date: 10/08/2020 - [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient) - [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpserver) +- [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement) +- [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect) +- [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections) - [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1) - [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2) - [ADMX_WindowsAnytimeUpgrade/Disabled](./policy-csp-admx-windowsanytimeupgrade.md#admx-windowsanytimeupgrade-disabled) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a0c7d8db35..42782da458 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1750,6 +1750,20 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WCM policies + +
+
+ ADMX_WCM/WCM_DisablePowerManagement +
+
+ ADMX_WCM/WCM_EnableSoftDisconnect +
+
+ ADMX_WCM/WCM_MinimizeConnections +
+
+ ### ADMX_WinCal policies
diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md new file mode 100644 index 0000000000..0590f12265 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -0,0 +1,272 @@ +--- +title: Policy CSP - ADMX_WCM +description: Policy CSP - ADMX_WCM +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/22/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WCM +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WCM policies + +
+
+ ADMX_WCM/WCM_DisablePowerManagement +
+
+ ADMX_WCM/WCM_EnableSoftDisconnect +
+
+ ADMX_WCM/WCM_MinimizeConnections +
+
+ + +
+ + +**ADMX_WCM/WCM_DisablePowerManagement** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that power management is disabled when the machine enters connected standby mode. + +If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode. + +If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable power management in connected standby mode* +- GP name: *WCM_DisablePowerManagement* +- GP path: *Network\Windows Connection Manager* +- GP ADMX file name: *WCM.admx* + + + +
+ + +**ADMX_WCM/WCM_EnableSoftDisconnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows will soft-disconnect a computer from a network. + +If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network. + +If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network. + +When soft disconnect is enabled: + +- When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted. +- Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection. +- When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they’re not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network. + +This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable Windows to soft-disconnect a computer from a network* +- GP name: *WCM_EnableSoftDisconnect* +- GP path: *Network\Windows Connection Manager* +- GP ADMX file name: *WCM.admx* + + + +
+ + +**ADMX_WCM/WCM_MinimizeConnections** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed. + +If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8. + +If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setting. This option was first available in Windows 8. + +If this policy setting is set to 2, the behavior is similar to 1. However, if a cellular data connection is available, it will always stay connected for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection, no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703). + +If this policy setting is set to 3, the behavior is similar to 2. However, if there's an Ethernet connection, Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually) when there's no Ethernet connection. + +This policy setting is related to the "Enable Windows to soft-disconnect a computer from a network" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Minimize the number of simultaneous connections to the Internet or a Windows Domain* +- GP name: *WCM_MinimizeConnections* +- GP path: *Network\Windows Connection Manager* +- GP ADMX file name: *WCM.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From a481e4b6eb6b3ce2be7dabe559322781bd5f7de6 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 23 Oct 2020 15:45:58 -0700 Subject: [PATCH 08/37] Added ADMX_StartMenu policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 67 + .../policy-configuration-service-provider.md | 216 +- .../mdm/policy-csp-admx-startmenu.md | 5011 +++++++++++++++++ 4 files changed, 5290 insertions(+), 5 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-startmenu.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index e4d03174c6..26ce78b220 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -214,6 +214,7 @@ #### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md) #### [ADMX_Smartcard](policy-csp-admx-smartcard.md) #### [ADMX_Snmp](policy-csp-admx-snmp.md) +#### [ADMX_StartMenu](policy-csp-admx-startmenu.md) #### [ADMX_tcpip](policy-csp-admx-tcpip.md) #### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) #### [ADMX_TPM](policy-csp-admx-tpm.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 36a06c412f..96d7eb2a35 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -324,6 +324,73 @@ ms.date: 10/08/2020 - [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) - [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) - [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) +- [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) +- [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) +- [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) +- [ADMX_StartMenu/ClearTilesOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-cleartilesonexit) +- [ADMX_StartMenu/DesktopAppsFirstInAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-desktopappsfirstinappsview) +- [ADMX_StartMenu/DisableGlobalSearchOnAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-disableglobalsearchonappsview) +- [ADMX_StartMenu/ForceStartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-forcestartmenulogoff) +- [ADMX_StartMenu/GoToDesktopOnSignIn](./policy-csp-admx-startmenu.md#admx-startmenu-gotodesktoponsignin) +- [ADMX_StartMenu/GreyMSIAds](./policy-csp-admx-startmenu.md#admx-startmenu-greymsiads) +- [ADMX_StartMenu/HidePowerOptions](./policy-csp-admx-startmenu.md#admx-startmenu-hidepoweroptions) +- [ADMX_StartMenu/Intellimenus](./policy-csp-admx-startmenu.md#admx-startmenu-intellimenus) +- [ADMX_StartMenu/LockTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-locktaskbar) +- [ADMX_StartMenu/MemCheckBoxInRunDlg](./policy-csp-admx-startmenu.md#admx-startmenu-memcheckboxinrundlg) +- [ADMX_StartMenu/NoAutoTrayNotify](./policy-csp-admx-startmenu.md#admx-startmenu-noautotraynotify) +- [ADMX_StartMenu/NoBalloonTip](./policy-csp-admx-startmenu.md#admx-startmenu-noballoontip) +- [ADMX_StartMenu/NoChangeStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nochangestartmenu) +- [ADMX_StartMenu/NoClose](./policy-csp-admx-startmenu.md#admx-startmenu-noclose) +- [ADMX_StartMenu/NoCommonGroups](./policy-csp-admx-startmenu.md#admx-startmenu-nocommongroups) +- [ADMX_StartMenu/NoFavoritesMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nofavoritesmenu) +- [ADMX_StartMenu/NoFind](./policy-csp-admx-startmenu.md#admx-startmenu-nofind) +- [ADMX_StartMenu/NoGamesFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nogamesfolderonstartmenu) +- [ADMX_StartMenu/NoHelp](./policy-csp-admx-startmenu.md#admx-startmenu-nohelp) +- [ADMX_StartMenu/NoInstrumentation](./policy-csp-admx-startmenu.md#admx-startmenu-noinstrumentation) +- [ADMX_StartMenu/NoMoreProgramsList](./policy-csp-admx-startmenu.md#admx-startmenu-nomoreprogramslist) +- [ADMX_StartMenu/NoNetAndDialupConnect](./policy-csp-admx-startmenu.md#admx-startmenu-nonetanddialupconnect) +- [ADMX_StartMenu/NoPinnedPrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nopinnedprograms) +- [ADMX_StartMenu/NoRecentDocsMenu](./policy-csp-admx-startmenu.md#admx-startmenu-norecentdocsmenu) +- [ADMX_StartMenu/NoResolveSearch](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvesearch) +- [ADMX_StartMenu/NoResolveTrack](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvetrack) +- [ADMX_StartMenu/NoRun](./policy-csp-admx-startmenu.md#admx-startmenu-norun) +- [ADMX_StartMenu/NoSMConfigurePrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nosmconfigureprograms) +- [ADMX_StartMenu/NoSMMyDocuments](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmydocuments) +- [ADMX_StartMenu/NoSMMyMusic](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmymusic) +- [ADMX_StartMenu/NoSMMyNetworkPlaces](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmynetworkplaces) +- [ADMX_StartMenu/NoSMMyPictures](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmypictures) +- [ADMX_StartMenu/NoSearchCommInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomminstartmenu) +- [ADMX_StartMenu/NoSearchComputerLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomputerlinkinstartmenu) +- [ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearcheverywherelinkinstartmenu) +- [ADMX_StartMenu/NoSearchFilesInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchfilesinstartmenu) +- [ADMX_StartMenu/NoSearchInternetInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchinternetinstartmenu) +- [ADMX_StartMenu/NoSearchProgramsInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchprogramsinstartmenu) +- [ADMX_StartMenu/NoSetFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nosetfolders) +- [ADMX_StartMenu/NoSetTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-nosettaskbar) +- [ADMX_StartMenu/NoStartMenuDownload](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenudownload) +- [ADMX_StartMenu/NoStartMenuHomegroup](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuhomegroup) +- [ADMX_StartMenu/NoStartMenuRecordedTV](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenurecordedtv) +- [ADMX_StartMenu/NoStartMenuSubFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenusubfolders) +- [ADMX_StartMenu/NoStartMenuVideos](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuvideos) +- [ADMX_StartMenu/NoStartPage](./policy-csp-admx-startmenu.md#admx-startmenu-nostartpage) +- [ADMX_StartMenu/NoTaskBarClock](./policy-csp-admx-startmenu.md#admx-startmenu-notaskbarclock) +- [ADMX_StartMenu/NoTaskGrouping](./policy-csp-admx-startmenu.md#admx-startmenu-notaskgrouping) +- [ADMX_StartMenu/NoToolbarsOnTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-notoolbarsontaskbar) +- [ADMX_StartMenu/NoTrayContextMenu](./policy-csp-admx-startmenu.md#admx-startmenu-notraycontextmenu) +- [ADMX_StartMenu/NoTrayItemsDisplay](./policy-csp-admx-startmenu.md#admx-startmenu-notrayitemsdisplay) +- [ADMX_StartMenu/NoUninstallFromStart](./policy-csp-admx-startmenu.md#admx-startmenu-nouninstallfromstart) +- [ADMX_StartMenu/NoUserFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nouserfolderonstartmenu) +- [ADMX_StartMenu/NoUserNameOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nousernameonstartmenu) +- [ADMX_StartMenu/NoWindowsUpdate](./policy-csp-admx-startmenu.md#admx-startmenu-nowindowsupdate) +- [ADMX_StartMenu/PowerButtonAction](./policy-csp-admx-startmenu.md#admx-startmenu-powerbuttonaction) +- [ADMX_StartMenu/QuickLaunchEnabled](./policy-csp-admx-startmenu.md#admx-startmenu-quicklaunchenabled) +- [ADMX_StartMenu/RemoveUnDockPCButton](./policy-csp-admx-startmenu.md#admx-startmenu-removeundockpcbutton) +- [ADMX_StartMenu/ShowAppsViewOnStart](./policy-csp-admx-startmenu.md#admx-startmenu-showappsviewonstart) +- [ADMX_StartMenu/ShowRunAsDifferentUserInStart](./policy-csp-admx-startmenu.md#admx-startmenu-showrunasdifferentuserinstart) +- [ADMX_StartMenu/ShowRunInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-showruninstartmenu) +- [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey) +- [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) +- [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) - [ADMX_tcpip/6to4_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name) - [ADMX_tcpip/6to4_Router_Name_Resolution_Interval](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name-resolution-interval) - [ADMX_tcpip/6to4_State](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-state) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 42782da458..da0fe4b5c3 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1173,7 +1173,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-### ADMX_ShellCommandPromptRegEditTools policies +## ADMX_ShellCommandPromptRegEditTools policies
@@ -1243,7 +1243,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_Snmp policies +### ADMX_Snmp policies
@@ -1257,7 +1257,213 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_tcpip policies +### ADMX_StartMenu policies + +
+
+ ADMX_StartMenu/AddSearchInternetLinkInStartMenu +
+
+ ADMX_StartMenu/ClearRecentDocsOnExit +
+
+ ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu +
+
+ ADMX_StartMenu/ClearTilesOnExit +
+
+ ADMX_StartMenu/DesktopAppsFirstInAppsView +
+
+ ADMX_StartMenu/DisableGlobalSearchOnAppsView +
+
+ ADMX_StartMenu/ForceStartMenuLogOff +
+
+ ADMX_StartMenu/GoToDesktopOnSignIn +
+
+ ADMX_StartMenu/GreyMSIAds +
+
+ ADMX_StartMenu/HidePowerOptions +
+
+ ADMX_StartMenu/Intellimenus +
+
+ ADMX_StartMenu/LockTaskbar +
+
+ ADMX_StartMenu/MemCheckBoxInRunDlg +
+
+ ADMX_StartMenu/NoAutoTrayNotify +
+
+ ADMX_StartMenu/NoBalloonTip +
+
+ ADMX_StartMenu/NoChangeStartMenu +
+
+ ADMX_StartMenu/NoClose +
+
+ ADMX_StartMenu/NoCommonGroups +
+
+ ADMX_StartMenu/NoFavoritesMenu +
+
+ ADMX_StartMenu/NoFind +
+
+ ADMX_StartMenu/NoGamesFolderOnStartMenu +
+
+ ADMX_StartMenu/NoHelp +
+
+ ADMX_StartMenu/NoInstrumentation +
+
+ ADMX_StartMenu/NoMoreProgramsList +
+
+ ADMX_StartMenu/NoNetAndDialupConnect +
+
+ ADMX_StartMenu/NoPinnedPrograms +
+
+ ADMX_StartMenu/NoRecentDocsMenu +
+
+ ADMX_StartMenu/NoResolveSearch +
+
+ ADMX_StartMenu/NoResolveTrack +
+
+ ADMX_StartMenu/NoRun +
+
+ ADMX_StartMenu/NoSMConfigurePrograms +
+
+ ADMX_StartMenu/NoSMMyDocuments +
+
+ ADMX_StartMenu/NoSMMyMusic +
+
+ ADMX_StartMenu/NoSMMyNetworkPlaces +
+
+ ADMX_StartMenu/NoSMMyPictures +
+
+ ADMX_StartMenu/NoSearchCommInStartMenu +
+
+ ADMX_StartMenu/NoSearchComputerLinkInStartMenu +
+
+ ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu +
+
+ ADMX_StartMenu/NoSearchFilesInStartMenu +
+
+ ADMX_StartMenu/NoSearchInternetInStartMenu +
+
+ ADMX_StartMenu/NoSearchProgramsInStartMenu +
+
+ ADMX_StartMenu/NoSetFolders +
+
+ ADMX_StartMenu/NoSetTaskbar +
+
+ ADMX_StartMenu/NoStartMenuDownload +
+
+ ADMX_StartMenu/NoStartMenuHomegroup +
+
+ ADMX_StartMenu/NoStartMenuRecordedTV +
+
+ ADMX_StartMenu/NoStartMenuSubFolders +
+
+ ADMX_StartMenu/NoStartMenuVideos +
+
+ ADMX_StartMenu/NoStartPage +
+
+ ADMX_StartMenu/NoTaskBarClock +
+
+ ADMX_StartMenu/NoTaskGrouping +
+
+ ADMX_StartMenu/NoToolbarsOnTaskbar +
+
+ ADMX_StartMenu/NoTrayContextMenu +
+
+ ADMX_StartMenu/NoTrayItemsDisplay +
+
+ ADMX_StartMenu/NoUninstallFromStart +
+
+ ADMX_StartMenu/NoUserFolderOnStartMenu +
+
+ ADMX_StartMenu/NoUserNameOnStartMenu +
+
+ ADMX_StartMenu/NoWindowsUpdate +
+
+ ADMX_StartMenu/PowerButtonAction +
+
+ ADMX_StartMenu/QuickLaunchEnabled +
+
+ ADMX_StartMenu/RemoveUnDockPCButton +
+
+ ADMX_StartMenu/ShowAppsViewOnStart +
+
+ ADMX_StartMenu/ShowRunAsDifferentUserInStart +
+
+ ADMX_StartMenu/ShowRunInStartMenu +
+
+ ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey +
+
+ ADMX_StartMenu/StartMenuLogOff +
+
+ ADMX_StartMenu/StartPinAppsWhenInstalled +
+
+ +### ADMX_tcpip policies
@@ -1301,7 +1507,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_Thumbnails policies +### ADMX_Thumbnails policies
@@ -1783,7 +1989,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_WindowsConnectNow policies +### ADMX_WindowsConnectNow policies
diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md new file mode 100644 index 0000000000..d2005ff616 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -0,0 +1,5011 @@ +--- +title: Policy CSP - ADMX_StartMenu +description: Policy CSP - ADMX_StartMenu +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/20/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_StartMenu +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_StartMenu policies + +
+
+ ADMX_StartMenu/AddSearchInternetLinkInStartMenu +
+
+ ADMX_StartMenu/ClearRecentDocsOnExit +
+
+ ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu +
+
+ ADMX_StartMenu/ClearTilesOnExit +
+
+ ADMX_StartMenu/DesktopAppsFirstInAppsView +
+
+ ADMX_StartMenu/DisableGlobalSearchOnAppsView +
+
+ ADMX_StartMenu/ForceStartMenuLogOff +
+
+ ADMX_StartMenu/GoToDesktopOnSignIn +
+
+ ADMX_StartMenu/GreyMSIAds +
+
+ ADMX_StartMenu/HidePowerOptions +
+
+ ADMX_StartMenu/Intellimenus +
+
+ ADMX_StartMenu/LockTaskbar +
+
+ ADMX_StartMenu/MemCheckBoxInRunDlg +
+
+ ADMX_StartMenu/NoAutoTrayNotify +
+
+ ADMX_StartMenu/NoBalloonTip +
+
+ ADMX_StartMenu/NoChangeStartMenu +
+
+ ADMX_StartMenu/NoClose +
+
+ ADMX_StartMenu/NoCommonGroups +
+
+ ADMX_StartMenu/NoFavoritesMenu +
+
+ ADMX_StartMenu/NoFind +
+
+ ADMX_StartMenu/NoGamesFolderOnStartMenu +
+
+ ADMX_StartMenu/NoHelp +
+
+ ADMX_StartMenu/NoInstrumentation +
+
+ ADMX_StartMenu/NoMoreProgramsList +
+
+ ADMX_StartMenu/NoNetAndDialupConnect +
+
+ ADMX_StartMenu/NoPinnedPrograms +
+
+ ADMX_StartMenu/NoRecentDocsMenu +
+
+ ADMX_StartMenu/NoResolveSearch +
+
+ ADMX_StartMenu/NoResolveTrack +
+
+ ADMX_StartMenu/NoRun +
+
+ ADMX_StartMenu/NoSMConfigurePrograms +
+
+ ADMX_StartMenu/NoSMMyDocuments +
+
+ ADMX_StartMenu/NoSMMyMusic +
+
+ ADMX_StartMenu/NoSMMyNetworkPlaces +
+
+ ADMX_StartMenu/NoSMMyPictures +
+
+ ADMX_StartMenu/NoSearchCommInStartMenu +
+
+ ADMX_StartMenu/NoSearchComputerLinkInStartMenu +
+
+ ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu +
+
+ ADMX_StartMenu/NoSearchFilesInStartMenu +
+
+ ADMX_StartMenu/NoSearchInternetInStartMenu +
+
+ ADMX_StartMenu/NoSearchProgramsInStartMenu +
+
+ ADMX_StartMenu/NoSetFolders +
+
+ ADMX_StartMenu/NoSetTaskbar +
+
+ ADMX_StartMenu/NoStartMenuDownload +
+
+ ADMX_StartMenu/NoStartMenuHomegroup +
+
+ ADMX_StartMenu/NoStartMenuRecordedTV +
+
+ ADMX_StartMenu/NoStartMenuSubFolders +
+
+ ADMX_StartMenu/NoStartMenuVideos +
+
+ ADMX_StartMenu/NoStartPage +
+
+ ADMX_StartMenu/NoTaskBarClock +
+
+ ADMX_StartMenu/NoTaskGrouping +
+
+ ADMX_StartMenu/NoToolbarsOnTaskbar +
+
+ ADMX_StartMenu/NoTrayContextMenu +
+
+ ADMX_StartMenu/NoTrayItemsDisplay +
+
+ ADMX_StartMenu/NoUninstallFromStart +
+
+ ADMX_StartMenu/NoUserFolderOnStartMenu +
+
+ ADMX_StartMenu/NoUserNameOnStartMenu +
+
+ ADMX_StartMenu/NoWindowsUpdate +
+
+ ADMX_StartMenu/PowerButtonAction +
+
+ ADMX_StartMenu/QuickLaunchEnabled +
+
+ ADMX_StartMenu/RemoveUnDockPCButton +
+
+ ADMX_StartMenu/ShowAppsViewOnStart +
+
+ ADMX_StartMenu/ShowRunAsDifferentUserInStart +
+
+ ADMX_StartMenu/ShowRunInStartMenu +
+
+ ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey +
+
+ ADMX_StartMenu/StartMenuLogOff +
+
+ ADMX_StartMenu/StartPinAppsWhenInstalled +
+
+ + +
+ + +**ADMX_StartMenu/AddSearchInternetLinkInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. + +If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box. + +If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add Search Internet link to Start Menu* +- GP name: *AddSearchInternetLinkInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ClearRecentDocsOnExit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Clear history of recently opened documents on exit. + +If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off. + +If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off. + +> [!NOTE] +> The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder. + +Also, see the "Remove Recent Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only uses this setting when neither of these related settings are selected. + +This setting does not clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recently opened documents" setting. + +This policy setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. + +This policy also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Clear history of recently opened documents on exit* +- GP name: *ClearRecentDocsOnExit* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. + +If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Clear the recent programs list for new users* +- GP name: *ClearRecentProgForNewUserInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ClearTilesOnExit** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on. + +If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. + +This setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Clear tile notifications during log on* +- GP name: *ClearTilesOnExit* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/DesktopAppsFirstInAppsView** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows desktop apps to be listed first in the Apps view in Start. + +If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options. + +If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *List desktop apps first in the Apps view* +- GP name: *DesktopAppsFirstInAppsView* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/DisableGlobalSearchOnAppsView** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view. + +This policy setting is only applied when the Apps view is set as the default view for Start. + +If you enable this policy setting, searching from the Apps view will only search the list of installed apps. + +If you disable or don’t configure this policy setting, the user can configure this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Search just apps from the Apps view* +- GP name: *DisableGlobalSearchOnAppsView* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ForceStartMenuLogOff** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy only applies to the classic version of the start menu and does not affect the new style start menu. + +Adds the "Log Off " item to the Start menu and prevents users from removing it. + +If you enable this setting, the Log Off item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off item from the Start Menu. + +If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item. + +This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del. + +Note: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff. + +Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\Logon/Logoff. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add Logoff to the Start Menu* +- GP name: *ForceStartMenuLogOff* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/GoToDesktopOnSignIn** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to go to the desktop instead of the Start screen when they sign in. + +If you enable this policy setting, users will always go to the desktop when they sign in. + +If you disable this policy setting, users will always go to the Start screen when they sign in. + +If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Go to the desktop instead of Start when signing in* +- GP name: *GoToDesktopOnSignIn* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/GreyMSIAds** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Displays Start menu shortcuts to partially installed programs in gray text. + +This setting makes it easier for users to distinguish between programs that are fully installed and those that are only partially installed. + +Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use. + +If you disable this setting or do not configure it, all Start menu shortcuts appear as black text. + +> [!NOTE] +> Enabling this setting can make the Start menu slow to open. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Gray unavailable Windows Installer programs Start Menu shortcuts* +- GP name: *GreyMSIAds* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/HidePowerOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. + +If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen. + +If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands* +- GP name: *HidePowerOptions* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/Intellimenus** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables personalized menus. + +Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu. + +If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect. + +> [!NOTE] +> Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting. + +To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off personalized menus* +- GP name: *Intellimenus* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/LockTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar, which is used to switch between running applications. + +The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized. + +If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties. + +If you disable this setting or do not configure it, the user can configure the taskbar position. + +> [!NOTE] +> Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Lock the Taskbar* +- GP name: *LockTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/MemCheckBoxInRunDlg** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. + +All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and cannot run simultaneously. + +Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add "Run in Separate Memory Space" check box to Run dialog box* +- GP name: *MemCheckBoxInRunDlg* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoAutoTrayNotify** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area, also called the "system tray." + +The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron." + +If you enable this setting, the system notification area expands to show all of the notifications that use this area. + +If you disable this setting, the system notification area will always collapse notifications. + +If you do not configure it, the user can choose if they want notifications collapsed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off notification area cleanup* +- GP name: *NoAutoTrayNotify* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoBalloonTip** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Hides pop-up text on the Start menu and in the notification area. + +When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object. + +If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area. + +If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Balloon Tips on Start Menu items* +- GP name: *NoBalloonTip* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoChangeStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from changing their Start screen layout. + +If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps. + +If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from customizing their Start Screen* +- GP name: *NoChangeStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoClose** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions. + +If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE. + +If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available. + +> [!NOTE] +> Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands* +- GP name: *NoClose* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoCommonGroups** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes items in the All Users profile from the Programs menu on the Start menu. + +By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu. + +To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove common program groups from Start Menu* +- GP name: *NoCommonGroups* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoFavoritesMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from adding the Favorites menu to the Start menu or classic Start menu. + +If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box. + +If you disable or do not configure this setting, the Display Favorite item is available. + +> [!NOTE] +> The Favorities menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options. +> +> The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group. +> +> This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Favorites menu from Start Menu* +- GP name: *NoFavoritesMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoFind** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. Note that this does not remove the search box from the new style Start menu. + +If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F. + +Note: Enabling this policy setting also prevents the user from using the F3 key. + +In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder. + +This policy setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search. + +If you disable or do not configure this policy setting, the Search link is available from the Start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Search link from Start Menu* +- GP name: *NoFind* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoGamesFolderOnStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the Games folder. + +If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Games link from Start Menu* +- GP name: *NoGamesFolderOnStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoHelp** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Help command from the Start menu. + +If you enable this policy setting, the Help command is removed from the Start menu. + +If you disable or do not configure this policy setting, the Help command is available from the Start menu. + +This policy setting only affects the Start menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Help menu from Start Menu* +- GP name: *NoHelp* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoInstrumentation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off user tracking. + +If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu. + +If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. + +Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized menus". + +This policy setting does not prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off user tracking* +- GP name: *NoInstrumentation* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoMoreProgramsList** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu. + +Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off. + +Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. + +Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. Select this option for compatibility with earlier versions of Windows. + +If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove All Programs list from the Start menu* +- GP name: *NoMoreProgramsList* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoNetAndDialupConnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Network Connections from the Start Menu. + +If you enable this policy setting, users are prevented from running Network Connections. + +Enabling this policy setting prevents the Network Connections folder from opening. This policy setting also removes Network Connections from Settings on the Start menu. + +Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action. + +If you disable or do not configure this policy setting, Network Connections is available from the Start Menu. + +Also, see the "Disable programs on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Network Connections from Start Menu* +- GP name: *NoNetAndDialupConnect* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoPinnedPrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. + +In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog. + +If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove pinned programs list from the Start Menu* +- GP name: *NoPinnedPrograms* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoRecentDocsMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu. + +The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents. + +If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on. + +If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu. + +When the setting is disabled, the Recent Items menu appears in the Start Menu, and users cannot remove it. + +If the setting is not configured, users can turn the Recent Items menu on and off. + +> [!NOTE] +> This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting. + +This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Recent Items menu from Start Menu* +- GP name: *NoRecentDocsMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoResolveSearch** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. + +If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found. + +If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. + +> [!NOTE] +> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. + +Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not use the search-based method when resolving shell shortcuts* +- GP name: *NoResolveSearch* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoResolveTrack** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from using NTFS tracking features to resolve a shortcut. + +If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path. + +If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file. + +> [!NOTE] +> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability. + +Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not use the tracking-based method when resolving shell shortcuts* +- GP name: *NoResolveTrack* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoRun** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. + +If you enable this setting, the following changes occur: + +1. The Run command is removed from the Start menu. + +2. The New Task (Run) command is removed from Task Manager. + +3. The user will be blocked from entering the following into the Internet Explorer Address Bar: + +- A UNC path: `\\\` + +- Accessing local drives: e.g., C: + +- Accessing local folders: e.g., `\` + +Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R. + +If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar. + +> [!NOTE] +> This setting affects the specified interface only. It does not prevent users from using other methods to run programs. +> +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Run menu from Start Menu* +- GP name: *NoRun* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMConfigurePrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Default Programs link from the Start menu. + +If you enable this policy setting, the Default Programs link is removed from the Start menu. + +Clicking the Default Programs link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. + +If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu. + +> [!NOTE] +> This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Default Programs link from the Start menu.* +- GP name: *NoSMConfigurePrograms* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMMyDocuments** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Documents icon from the Start menu and its submenus. + +If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder. + +> [!NOTE] +> To make changes to this policy setting effective, you must log off and then log on. + +If you disable or do not configure this policy setting, he Documents icon is available from the Start menu. + +Also, see the "Remove Documents icon on the desktop" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Documents icon from Start Menu* +- GP name: *NoSMMyDocuments* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMMyMusic** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Music icon from Start Menu. + +If you enable this policy setting, the Music icon is no longer available from Start Menu. + +If you disable or do not configure this policy setting, the Music icon is available from Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Music icon from Start Menu* +- GP name: *NoSMMyMusic* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMMyNetworkPlaces** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build.This policy setting allows you to remove the Network icon from Start Menu. + +If you enable this policy setting, the Network icon is no longer available from Start Menu. + +If you disable or do not configure this policy setting, the Network icon is available from Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Network icon from Start Menu* +- GP name: *NoSMMyNetworkPlaces* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSMMyPictures** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Pictures icon from Start Menu. + +If you enable this policy setting, the Pictures icon is no longer available from Start Menu. + +If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Pictures icon from Start Menu* +- GP name: *NoSMMyPictures* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchCommInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for communications. + +If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not search communications* +- GP name: *NoSearchCommInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchComputerLinkInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box. + +If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Search Computer link* +- GP name: *NoSearchComputerLinkInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. + +If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove See More Results / Search Everywhere link* +- GP name: *NoSearchEverywhereLinkInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchFilesInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for files. + +If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not search for files* +- GP name: *NoSearchFilesInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchInternetInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for internet history or favorites. + +If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not search Internet* +- GP name: *NoSearchInternetInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSearchProgramsInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. + +If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not search programs and Control Panel items* +- GP name: *NoSearchProgramsInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSetFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove programs on Settings menu. + +If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. + +However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System. + +If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer. + +Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove programs on Settings menu* +- GP name: *NoSetFolders* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoSetTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent changes to Taskbar and Start Menu Settings. + +If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box. + +If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action. + +If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent changes to Taskbar and Start Menu Settings* +- GP name: *NoSetTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuDownload** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Downloads link from the Start Menu. + +If you enable this policy setting, the Start Menu does not show a link to the Downloads folder. + +If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Downloads link from Start Menu* +- GP name: *NoStartMenuDownload* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuHomegroup** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. + +If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Homegroup link from Start Menu* +- GP name: *NoStartMenuHomegroup* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuRecordedTV** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Recorded TV link from the Start Menu. + +If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library. + +If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Recorded TV link from Start Menu* +- GP name: *NoStartMenuRecordedTV* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuSubFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden. + +This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders. + +Note that this setting hides all user-specific folders, not just those associated with redirected folders. + +If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu. + +If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove user's folders from the Start Menu* +- GP name: *NoStartMenuSubFolders* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartMenuVideos** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Videos link from the Start Menu. + +If you enable this policy setting, the Start Menu does not show a link to the Videos library. + +If you disable or do not configure this policy setting, the Videos link is available from the Start Menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Videos link from Start Menu* +- GP name: *NoStartMenuVideos* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoStartPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the presentation of the Start menu. + +The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly. + +If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons. + +If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page. + +If you do not configure this setting, the default is the new style, and the user can change the view. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Force classic Start Menu* +- GP name: *NoStartPage* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoTaskBarClock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents the clock in the system notification area from being displayed. + +If you enable this setting, the clock will not be displayed in the system notification area. + +If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Clock from the system notification area* +- GP name: *NoTaskBarClock* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoTaskGrouping** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar buttons used to switch between running programs. + +Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full. + +If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled. + +If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent grouping of taskbar items* +- GP name: *NoTaskGrouping* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoToolbarsOnTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar. + +The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application. + +If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock. + +If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display any custom toolbars in the taskbar* +- GP name: *NoToolbarsOnTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoTrayContextMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to the context menus for the taskbar. + +If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons. + +If you disable or do not configure this policy setting, the context menus for the taskbar are available. + +This policy setting does not prevent users from using other methods to issue the commands that appear on these menus. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove access to the context menus for the taskbar* +- GP name: *NoTrayContextMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoTrayItemsDisplay** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area (previously called the "system tray") on the taskbar. + +The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. + +If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock. + +If this setting is disabled or is not configured, the notification area is shown in the user's taskbar. + +> [!NOTE] +> Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the notification area* +- GP name: *NoTrayItemsDisplay* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoUninstallFromStart** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, users cannot uninstall apps from Start. + +If you disable this setting or do not configure it, users can access the uninstall command from Start. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from uninstalling applications from Start* +- GP name: *NoUninstallFromStart* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoUserFolderOnStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the user's storage folder. + +If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove user folder link from Start Menu* +- GP name: *NoUserFolderOnStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoUserNameOnStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003. + +If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003. + +To remove the user name folder on Windows Vista, set the "Remove user folder link from Start Menu" policy setting. + +If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove user name from Start Menu* +- GP name: *NoUserNameOnStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/NoWindowsUpdate** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove links and access to Windows Update. + +If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. + +Enabling this policy setting blocks user access to the Windows Update Web site at http://windowsupdate.microsoft.com. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. + +Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. + +If you disable or do not configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer. + +Also, see the "Hide the "Add programs from Microsoft" option" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove links and access to Windows Update* +- GP name: *NoWindowsUpdate* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/PowerButtonAction** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Set the default action of the power button on the Start menu. + +If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action. + +If you set the button to either Sleep or Hibernate, and that state is not supported on a computer, then the button will fall back to Shut Down. + +If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Change Start Menu power button* +- GP name: *PowerButtonAction* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/QuickLaunchEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar. + +If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off. + +If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on. + +If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show QuickLaunch on Taskbar* +- GP name: *QuickLaunchEnabled* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/RemoveUnDockPCButton** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked. + +If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the "Undock PC" button from the Start Menu* +- GP name: *RemoveUnDockPCButton* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ShowAppsViewOnStart** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Apps view to be opened by default when the user goes to Start. + +If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen. + +If you disable or don’t configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show the Apps view automatically when the user goes to Start* +- GP name: *ShowAppsViewOnStart* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ShowRunAsDifferentUserInStart** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting shows or hides the "Run as different user" command on the Start application bar. + +If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality. + +If you disable this setting or do not configure it, users cannot access the "Run as different user" command from Start for any applications. + +> [!NOTE] +> This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show "Run as different user" command on Start* +- GP name: *ShowRunAsDifferentUserInStart* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ShowRunInStartMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Run command is added to the Start menu. + +If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. + +If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Add the Run command to the Start Menu* +- GP name: *ShowRunInStartMenu* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays. + +If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key. + +If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show Start on the display the user is using when they press the Windows logo key* +- GP name: *ShowStartOnDisplayWithForegroundOnWinKey* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/StartMenuLogOff** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to removes the "Log Off " item from the Start menu and prevents users from restoring it. + +If you enable this policy setting, the Log Off item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off item to the Start Menu. + +If you disable or do not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. + +This policy setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off. + +Tip: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff. + +See also: "Remove Logoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Logoff on the Start Menu* +- GP name: *StartMenuLogOff* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ + +**ADMX_StartMenu/StartPinAppsWhenInstalled** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Pin Apps to Start when installed* +- GP name: *StartPinAppsWhenInstalled* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From 8cf15aeb58207dd7d8bd1159b86b3a585f279942 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 23 Oct 2020 16:09:02 -0700 Subject: [PATCH 09/37] Formatting --- .../mdm/policy-csp-admx-startmenu.md | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index d2005ff616..09955c429e 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -699,9 +699,9 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. This policy only applies to the classic version of the start menu and does not affect the new style start menu. -Adds the "Log Off " item to the Start menu and prevents users from removing it. +Adds the "Log Off ``" item to the Start menu and prevents users from removing it. -If you enable this setting, the Log Off item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off item from the Start Menu. +If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off `` item from the Start Menu. If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item. @@ -2072,7 +2072,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu. -In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog. +In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog. If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu. @@ -2376,11 +2376,11 @@ If you enable this setting, the following changes occur: 3. The user will be blocked from entering the following into the Internet Explorer Address Bar: -- A UNC path: `\\\` + - A UNC path: `\\\` -- Accessing local drives: e.g., C: + - Accessing local drives: e.g., C: -- Accessing local folders: e.g., `\` + - Accessing local folders: e.g., `\` Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R. @@ -3012,7 +3012,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for files. -If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. +If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box. > [!TIP] @@ -4340,7 +4340,7 @@ Available in the latest Windows 10 Insider Preview Build. This policy setting al If you enable this policy setting, users are prevented from connecting to the Windows Update Web site. -Enabling this policy setting blocks user access to the Windows Update Web site at http://windowsupdate.microsoft.com. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. +Enabling this policy setting blocks user access to the Windows Update Web site at https://windowsupdate.microsoft.com. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download. @@ -4899,9 +4899,9 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to removes the "Log Off " item from the Start menu and prevents users from restoring it. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it. -If you enable this policy setting, the Log Off item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off item to the Start Menu. +If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu. If you disable or do not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item. @@ -5007,5 +5007,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - - + \ No newline at end of file From e575eb18bf8d24f8c11b4f3d9189732caa5a0edd Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 26 Oct 2020 14:27:10 -0700 Subject: [PATCH 10/37] Added ADMX_Taskbar policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 22 + .../policy-configuration-service-provider.md | 71 + .../mdm/policy-csp-admx-taskbar.md | 1663 +++++++++++++++++ 4 files changed, 1757 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-taskbar.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 26ce78b220..0923cdc140 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -215,6 +215,7 @@ #### [ADMX_Smartcard](policy-csp-admx-smartcard.md) #### [ADMX_Snmp](policy-csp-admx-snmp.md) #### [ADMX_StartMenu](policy-csp-admx-startmenu.md) +#### [ADMX_Taskbar](policy-csp-admx-taskbar.md) #### [ADMX_tcpip](policy-csp-admx-tcpip.md) #### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) #### [ADMX_TPM](policy-csp-admx-tpm.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 96d7eb2a35..551346f46f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -391,6 +391,28 @@ ms.date: 10/08/2020 - [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey) - [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) - [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) +- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md.#admx-taskbar-disablenotificationcenter) +- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md.#admx-taskbar-enablelegacyballoonnotifications) +- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md.#admx-taskbar-hidescahealth) +- [ADMX_Taskbar/HideSCANetwork](./policy-csp-admx-taskbar.md.#admx-taskbar-hidescanetwork) +- [ADMX_Taskbar/HideSCAPower](./policy-csp-admx-taskbar.md.#admx-taskbar-hidescapower) +- [ADMX_Taskbar/HideSCAVolume](./policy-csp-admx-taskbar.md.#admx-taskbar-hidescavolume) +- [ADMX_Taskbar/NoBalloonFeatureAdvertisements](./policy-csp-admx-taskbar.md.#admx-taskbar-noballoonfeatureadvertisements) +- [ADMX_Taskbar/NoPinningStoreToTaskbar](./policy-csp-admx-taskbar.md.#admx-taskbar-nopinningstoretotaskbar) +- [ADMX_Taskbar/NoPinningToDestinations](./policy-csp-admx-taskbar.md.#admx-taskbar-nopinningtodestinations) +- [ADMX_Taskbar/NoPinningToTaskbar](./policy-csp-admx-taskbar.md.#admx-taskbar-nopinningtotaskbar) +- [ADMX_Taskbar/NoRemoteDestinations](./policy-csp-admx-taskbar.md.#admx-taskbar-noremotedestinations) +- [ADMX_Taskbar/NoSystraySystemPromotion](./policy-csp-admx-taskbar.md.#admx-taskbar-nosystraysystempromotion) +- [ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar](./policy-csp-admx-taskbar.md.#admx-taskbar-showwindowsstoreappsontaskbar) +- [ADMX_Taskbar/TaskbarLockAll](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarlockall) +- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnoaddremovetoolbar) +- [ADMX_Taskbar/TaskbarNoDragToolbar](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnodragtoolbar) +- [ADMX_Taskbar/TaskbarNoMultimon](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnomultimon) +- [ADMX_Taskbar/TaskbarNoNotification](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnonotification) +- [ADMX_Taskbar/TaskbarNoPinnedList](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnopinnedlist) +- [ADMX_Taskbar/TaskbarNoRedock](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnoredock) +- [ADMX_Taskbar/TaskbarNoResize](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnoresize) +- [ADMX_Taskbar/TaskbarNoThumbnail](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnothumbnail) - [ADMX_tcpip/6to4_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name) - [ADMX_tcpip/6to4_Router_Name_Resolution_Interval](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name-resolution-interval) - [ADMX_tcpip/6to4_State](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-state) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index da0fe4b5c3..521e66ecce 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1463,6 +1463,77 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_Taskbar policies + +
+
+ ADMX_Taskbar/DisableNotificationCenter +
+
+ ADMX_Taskbar/EnableLegacyBalloonNotifications +
+
+ ADMX_Taskbar/HideSCAHealth +
+
+ ADMX_Taskbar/HideSCANetwork +
+
+ ADMX_Taskbar/HideSCAPower +
+
+ ADMX_Taskbar/HideSCAVolume +
+
+ ADMX_Taskbar/NoBalloonFeatureAdvertisements +
+
+ ADMX_Taskbar/NoPinningStoreToTaskbar +
+
+ ADMX_Taskbar/NoPinningToDestinations +
+
+ ADMX_Taskbar/NoPinningToTaskbar +
+
+ ADMX_Taskbar/NoRemoteDestinations +
+
+ ADMX_Taskbar/NoSystraySystemPromotion +
+
+ ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar +
+
+ ADMX_Taskbar/TaskbarLockAll +
+
+ ADMX_Taskbar/TaskbarNoAddRemoveToolbar +
+
+ ADMX_Taskbar/TaskbarNoDragToolbar +
+
+ ADMX_Taskbar/TaskbarNoMultimon +
+
+ ADMX_Taskbar/TaskbarNoNotification +
+
+ ADMX_Taskbar/TaskbarNoPinnedList +
+
+ ADMX_Taskbar/TaskbarNoRedock +
+
+ ADMX_Taskbar/TaskbarNoResize +
+
+ ADMX_Taskbar/TaskbarNoThumbnail +
+
+ ### ADMX_tcpip policies
diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md new file mode 100644 index 0000000000..d7177153a7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -0,0 +1,1663 @@ +--- +title: Policy CSP - ADMX_Taskbar +description: Policy CSP - ADMX_Taskbar +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/26/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Taskbar +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_Taskbar policies + +
+
+ ADMX_Taskbar/DisableNotificationCenter +
+
+ ADMX_Taskbar/EnableLegacyBalloonNotifications +
+
+ ADMX_Taskbar/HideSCAHealth +
+
+ ADMX_Taskbar/HideSCANetwork +
+
+ ADMX_Taskbar/HideSCAPower +
+
+ ADMX_Taskbar/HideSCAVolume +
+
+ ADMX_Taskbar/NoBalloonFeatureAdvertisements +
+
+ ADMX_Taskbar/NoPinningStoreToTaskbar +
+
+ ADMX_Taskbar/NoPinningToDestinations +
+
+ ADMX_Taskbar/NoPinningToTaskbar +
+
+ ADMX_Taskbar/NoRemoteDestinations +
+
+ ADMX_Taskbar/NoSystraySystemPromotion +
+
+ ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar +
+
+ ADMX_Taskbar/TaskbarLockAll +
+
+ ADMX_Taskbar/TaskbarNoAddRemoveToolbar +
+
+ ADMX_Taskbar/TaskbarNoDragToolbar +
+
+ ADMX_Taskbar/TaskbarNoMultimon +
+
+ ADMX_Taskbar/TaskbarNoNotification +
+
+ ADMX_Taskbar/TaskbarNoPinnedList +
+
+ ADMX_Taskbar/TaskbarNoRedock +
+
+ ADMX_Taskbar/TaskbarNoResize +
+
+ ADMX_Taskbar/TaskbarNoThumbnail +
+
+ + +
+ + +**ADMX_Taskbar/DisableNotificationCenter** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting removes Notifications and Action Center from the notification area on the taskbar. + +The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. + +If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won’t be able to review any notifications they miss. + +If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar. + +A reboot is required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Notifications and Action Center* +- GP name: *DisableNotificationCenter* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/EnableLegacyBalloonNotifications** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy disables the functionality that converts balloons to toast notifications. + +If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. + +Enable this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications. + +If you disable or don’t configure this policy setting, all notifications will appear as toast notifications. + +A reboot is required for this policy setting to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable showing balloon notifications as toasts.* +- GP name: *EnableLegacyBalloonNotifications* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/HideSCAHealth** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Security and Maintenance from the system control area. + +If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area. + +If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the Security and Maintenance icon* +- GP name: *HideSCAHealth* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/HideSCANetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the networking icon from the system control area. + +If you enable this policy setting, the networking icon is not displayed in the system notification area. + +If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the networking icon* +- GP name: *HideSCANetwork* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/HideSCAPower** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the battery meter from the system control area. + +If you enable this policy setting, the battery meter is not displayed in the system notification area. + +If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the battery meter* +- GP name: *HideSCAPower* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/HideSCAVolume** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the volume control icon from the system control area. + +If you enable this policy setting, the volume control icon is not displayed in the system notification area. + +If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the volume control icon* +- GP name: *HideSCAVolume* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/NoBalloonFeatureAdvertisements** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off feature advertisement balloon notifications. + +If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown. + +If you disable do not configure this policy setting, feature advertisement balloons are shown. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off feature advertisement balloon notifications* +- GP name: *NoBalloonFeatureAdvertisements* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/NoPinningStoreToTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning the Store app to the Taskbar. + +If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login. + +If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow pinning Store app to the Taskbar* +- GP name: *NoPinningStoreToTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/NoPinningToDestinations** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning items in Jump Lists. + +If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. + +If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow pinning items in Jump Lists* +- GP name: *NoPinningToDestinations* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ + +**ADMX_Taskbar/NoPinningToTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning programs to the Taskbar. + +If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. + +If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow pinning programs to the Taskbar* +- GP name: *NoPinningToTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/NoRemoteDestinations** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. + +The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks. + +If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections. + +If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer. Note: This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the "Do not allow pinning items in Jump Lists" policy setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not display or track items in Jump Lists from remote locations* +- GP name: *NoRemoteDestinations* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/NoSystraySystemPromotion** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off automatic promotion of notification icons to the taskbar. + +If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel. + +If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic promotion of notification icons to the taskbar* +- GP name: *NoSystraySystemPromotion* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to see Windows Store apps on the taskbar. + +If you enable this policy setting, users will see Windows Store apps on the taskbar. + +If you disable this policy setting, users won’t see Windows Store apps on the taskbar. + +If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show Windows Store apps on the taskbar* +- GP name: *ShowWindowsStoreAppsOnTaskbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarLockAll** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to lock all taskbar settings. + +If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. + +If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Lock all taskbar settings* +- GP name: *TaskbarLockAll* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoAddRemoveToolbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from adding or removing toolbars. + +If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either. + +If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from adding or removing toolbars* +- GP name: *TaskbarNoAddRemoveToolbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoDragToolbar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from rearranging toolbars. + +If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar. + +If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from rearranging toolbars* +- GP name: *TaskbarNoDragToolbar* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoMultimon** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent taskbars from being displayed on more than one monitor. + +If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. + +If you disable or do not configure this policy setting, users can show taskbars on more than one display. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow taskbars on more than one display* +- GP name: *TaskbarNoMultimon* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoNotification** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off all notification balloons. + +If you enable this policy setting, no notification balloons are shown to the user. + +If you disable or do not configure this policy setting, notification balloons are shown to the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off all balloon notifications* +- GP name: *TaskbarNoNotification* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoPinnedList** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove pinned programs from the taskbar. + +If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. + +If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove pinned programs from the Taskbar* +- GP name: *TaskbarNoPinnedList* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoRedock** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from moving taskbar to another screen dock location. + +If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s). + +If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from moving taskbar to another screen dock location* +- GP name: *TaskbarNoRedock* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoResize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from resizing the taskbar. + +If you enable this policy setting, users are not be able to resize their taskbar. + +If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent users from resizing the taskbar* +- GP name: *TaskbarNoResize* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +
+ + +**ADMX_Taskbar/TaskbarNoThumbnail** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off taskbar thumbnails. + +If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips. + +If you disable or do not configure this policy setting, the taskbar thumbnails are displayed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off taskbar thumbnails* +- GP name: *TaskbarNoThumbnail* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From 0d1043e685158ced472fdc82e785e6de9a772e72 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 26 Oct 2020 15:47:31 -0700 Subject: [PATCH 11/37] Added ADMX_WindowsStore policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 5 + .../policy-configuration-service-provider.md | 20 + .../mdm/policy-csp-admx-windowsstore.md | 409 ++++++++++++++++++ 4 files changed, 435 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-windowsstore.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 0923cdc140..c89e77b57a 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -227,6 +227,7 @@ #### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) #### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) +#### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) #### [ADMX_WinInit](policy-csp-admx-wininit.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 551346f46f..f3656135e6 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -600,6 +600,11 @@ ms.date: 10/08/2020 - [ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventwmpdesktopshortcut) - [ADMX_WindowsMediaPlayer/SkinLockDown](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-skinlockdown) - [ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-windowsstreamingmediaprotocols) +- [ADMX_WindowsStore/DisableAutoDownloadWin8](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableautodownloadwin8) +- [ADMX_WindowsStore/DisableOSUpgrade_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-1) +- [ADMX_WindowsStore/DisableOSUpgrade_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-2) +- [ADMX_WindowsStore/RemoveWindowsStore_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-1) +- [ADMX_WindowsStore/RemoveWindowsStore_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-2) - [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription) - [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot) - [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 521e66ecce..c53e85e5e4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2150,6 +2150,26 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WindowsStore policies + +
+
+ ADMX_WindowsStore/DisableAutoDownloadWin8 +
+
+ ADMX_WindowsStore/DisableOSUpgrade_1 +
+
+ ADMX_WindowsStore/DisableOSUpgrade_2 +
+
+ ADMX_WindowsStore/RemoveWindowsStore_1 +
+
+ ADMX_WindowsStore/RemoveWindowsStore_2 +
+
+ ### ADMX_WinInit policies
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md new file mode 100644 index 0000000000..0a790d7c01 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -0,0 +1,409 @@ +--- +title: Policy CSP - ADMX_WindowsStore +description: Policy CSP - ADMX_WindowsStore +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/26/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsStore +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_WindowsStore policies + +
+
+ ADMX_WindowsStore/DisableAutoDownloadWin8 +
+
+ ADMX_WindowsStore/DisableOSUpgrade_1 +
+
+ ADMX_WindowsStore/DisableOSUpgrade_2 +
+
+ ADMX_WindowsStore/RemoveWindowsStore_1 +
+
+ ADMX_WindowsStore/RemoveWindowsStore_2 +
+
+ + +
+ + +**ADMX_WindowsStore/DisableAutoDownloadWin8** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting enables or disables the automatic download of app updates on PCs running Windows 8. + +If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on. + +If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Windows Store. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Automatic Download of updates on Win8 machines* +- GP name: *DisableAutoDownloadWin8* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +
+ + +**ADMX_WindowsStore/DisableOSUpgrade_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting enables or disables the Store offer to update to the latest version of Windows. + +If you enable this setting, the Store application will not offer updates to the latest version of Windows. + +If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the offer to update to the latest version of Windows* +- GP name: *DisableOSUpgrade_1* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +
+ + +**ADMX_WindowsStore/DisableOSUpgrade_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting enables or disables the Store offer to update to the latest version of Windows. + +If you enable this setting, the Store application will not offer updates to the latest version of Windows. + +If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the offer to update to the latest version of Windows* +- GP name: *DisableOSUpgrade_2* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +
+ + +**ADMX_WindowsStore/RemoveWindowsStore_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting denies or allows access to the Store application. + +If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. + +If you disable or don't configure this setting, access to the Store application is allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the Store application* +- GP name: *RemoveWindowsStore_1* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +
+ + +**ADMX_WindowsStore/RemoveWindowsStore_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting denies or allows access to the Store application. + +If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. + +If you disable or don't configure this setting, access to the Store application is allowed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the Store application* +- GP name: *RemoveWindowsStore_2* +- GP path: *Windows Components\Store* +- GP ADMX file name: *WindowsStore.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From 938ef3c9c1f456d9d228167626d3980173065dd7 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 26 Oct 2020 16:26:39 -0700 Subject: [PATCH 12/37] Added ADMX_PowerShellExecutionPolicy policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 4 + .../policy-configuration-service-provider.md | 17 + ...licy-csp-admx-powershellexecutionpolicy.md | 351 ++++++++++++++++++ .../mdm/policy-csp-admx-windowsstore.md | 10 +- 5 files changed, 378 insertions(+), 5 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index c89e77b57a..d650e72fad 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -203,6 +203,7 @@ #### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md) #### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md) #### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md) +#### [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md) #### [ADMX_Reliability](policy-csp-admx-reliability.md) #### [ADMX_Scripts](policy-csp-admx-scripts.md) #### [ADMX_sdiageng](policy-csp-admx-sdiageng.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index f3656135e6..86895847dc 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -272,6 +272,10 @@ ms.date: 10/08/2020 - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3) - [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4) +- [ADMX_PowerShellExecutionPolicy/EnableModuleLogging](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablemodulelogging) +- [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts) +- [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting) +- [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath) - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c53e85e5e4..bd728ec2e7 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1046,6 +1046,23 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_PowerShellExecutionPolicy policies + +
+
+ ADMX_PowerShellExecutionPolicy/EnableModuleLogging +
+
+ ADMX_PowerShellExecutionPolicy/EnableScripts +
+
+ ADMX_PowerShellExecutionPolicy/EnableTranscripting +
+
+ ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath +
+
+ ### ADMX_Reliability policies
diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md new file mode 100644 index 0000000000..fc764bfaf5 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -0,0 +1,351 @@ +--- +title: Policy CSP - ADMX_PowerShellExecutionPolicy +description: Policy CSP - ADMX_PowerShellExecutionPolicy +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/26/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_PowerShellExecutionPolicy +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_PowerShellExecutionPolicy policies + +
+
+ ADMX_PowerShellExecutionPolicy/EnableModuleLogging +
+
+ ADMX_PowerShellExecutionPolicy/EnableScripts +
+
+ ADMX_PowerShellExecutionPolicy/EnableTranscripting +
+
+ ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath +
+
+ + +
+ + +**ADMX_PowerShellExecutionPolicy/EnableModuleLogging** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging for Windows PowerShell modules. + +If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True. + +If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False. + +To add modules and snap-ins to the policy setting list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. + +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Module Logging* +- GP name: *EnableModuleLogging* +- GP path: *Windows Components\Windows PowerShell* +- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + +
+ + +**ADMX_PowerShellExecutionPolicy/EnableScripts** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. + +If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher. + +The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy setting allows all scripts to run. + +If you disable this policy setting, no scripts are allowed to run. + +> [!NOTE] +> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Script Execution* +- GP name: *EnableScripts* +- GP path: *Windows Components\Windows PowerShell* +- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + +
+ + +**ADMX_PowerShellExecutionPolicy/EnableTranscripting** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. + +If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. + +If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled through the Start-Transcript cmdlet. + +If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers. + +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on PowerShell Transcription* +- GP name: *EnableTranscripting* +- GP path: *Windows Components\Windows PowerShell* +- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + +
+ + +**ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. + +If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet. + +If this policy setting is disabled or not configured, this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet. + +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the default source path for Update-Help* +- GP name: *EnableUpdateHelpDefaultSourcePath* +- GP path: *Windows Components\Windows PowerShell* +- GP ADMX file name: *PowerShellExecutionPolicy.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index 0a790d7c01..7be8a731e7 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -86,7 +86,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting enables or disables the automatic download of app updates on PCs running Windows 8. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the automatic download of app updates on PCs running Windows 8. If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on. @@ -157,7 +157,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables or disables the Store offer to update to the latest version of Windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. @@ -228,7 +228,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables or disables the Store offer to update to the latest version of Windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. @@ -299,7 +299,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting denies or allows access to the Store application. +Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. @@ -370,7 +370,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting denies or allows access to the Store application. +Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. From 1409ea60e13dd1fb0e1886d1799bf8577bf27b7b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 27 Oct 2020 10:58:10 -0700 Subject: [PATCH 13/37] Added ADMX_wlansvc policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 3 + .../policy-configuration-service-provider.md | 14 + .../mdm/policy-csp-admx-wlansvc.md | 260 ++++++++++++++++++ 4 files changed, 278 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-wlansvc.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index d650e72fad..2f06abcfc0 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -230,6 +230,7 @@ #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) #### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) #### [ADMX_WinInit](policy-csp-admx-wininit.md) +#### [ADMX_wlansvc](policy-csp-admx-wlansvc.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) #### [AppRuntime](policy-csp-appruntime.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 86895847dc..da688c9114 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -612,6 +612,9 @@ ms.date: 10/08/2020 - [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription) - [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot) - [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription) +- [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost) +- [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced) +- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred) - [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) - [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) - [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index bd728ec2e7..4f04904352 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2201,6 +2201,20 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_wlansvc policies + +
+
+ ADMX_wlansvc/SetCost +
+
+ ADMX_wlansvc/SetPINEnforced +
+
+ ADMX_wlansvc/SetPINPreferred +
+
+ ### ApplicationDefaults policies
diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md new file mode 100644 index 0000000000..0ca862b038 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -0,0 +1,260 @@ +--- +title: Policy CSP - ADMX_wlansvc +description: Policy CSP - ADMX_wlansvc +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/27/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_wlansvc +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_wlansvc policies + +
+
+ ADMX_wlansvc/SetCost +
+
+ ADMX_wlansvc/SetPINEnforced +
+
+ ADMX_wlansvc/SetPINPreferred +
+
+ + +
+ + +**ADMX_wlansvc/SetCost** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. + +If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine: + +- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. +- Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Cost* +- GP name: *IncludeCmdLine* +- GP path: *Network\WLAN Service\WLAN Media Cost* +- GP ADMX file name: *wlansvc.admx* + + + +
+ + +**ADMX_wlansvc/SetPINEnforced** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional. + +Conversely it means that Push Button is NOT allowed. + +If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require PIN pairing* +- GP name: *SetPINEnforced* +- GP path: *Network\Wireless Display* +- GP ADMX file name: *wlansvc.admx* + + + +
+ + +**ADMX_wlansvc/SetPINPreferred** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods. + +When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method. + +If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prefer PIN pairing* +- GP name: *SetPINPreferred* +- GP path: *Network\Wireless Display* +- GP ADMX file name: *wlansvc.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From 7b04785a2d24606f6e63669e20cb07e800b7fcc4 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 27 Oct 2020 17:03:45 -0700 Subject: [PATCH 14/37] Added ADMX_TerminalServer policies --- .../mdm/policy-csp-admx-terminalserver.md | 1036 +++++++++++++++++ 1 file changed, 1036 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-terminalserver.md diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md new file mode 100644 index 0000000000..74a8c02c29 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -0,0 +1,1036 @@ +--- +title: Policy CSP - ADMX_TerminalServer +description: Policy CSP - ADMX_TerminalServer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/27/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_TerminalServer +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_TerminalServer policies + +
+
+ ADMX_TerminalServer/TS_AUTO_RECONNECT +
+
+ ADMX_TerminalServer/TS_CAMERA_REDIRECTION +
+
+ ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 +
+
+ ADMX_TerminalServer/TS_CLIENT_AUDIO +
+
+ ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE +
+
+ ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY +
+
+ ADMX_TerminalServer/TS_CLIENT_CLIPBOARD +
+
+ ADMX_TerminalServer/TS_CLIENT_COM +
+
+ ADMX_TerminalServer/TS_CLIENT_DEFAULT_M +
+
+ ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE +
+
+ ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_LPT +
+
+ ADMX_TerminalServer/TS_CLIENT_PNP +
+
+ ADMX_TerminalServer/TS_CLIENT_PRINTER +
+
+ ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 +
+
+ ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 +
+
+ ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP +
+
+ ADMX_TerminalServer/TS_COLORDEPTH +
+
+ ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES +
+
+ ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER +
+
+ ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU +
+
+ ADMX_TerminalServer/TS_EASY_PRINT +
+
+ ADMX_TerminalServer/TS_EASY_PRINT_User +
+
+ ADMX_TerminalServer/TS_EnableVirtualGraphics +
+
+ ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE +
+
+ ADMX_TerminalServer/TS_FORCIBLE_LOGOFF +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE +
+
+ ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER +
+
+ ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY +
+
+ ADMX_TerminalServer/TS_KEEP_ALIVE +
+
+ ADMX_TerminalServer/TS_LICENSE_SECGROUP +
+
+ ADMX_TerminalServer/TS_LICENSE_SERVERS +
+
+ ADMX_TerminalServer/TS_LICENSE_TOOLTIP +
+
+ ADMX_TerminalServer/TS_LICENSING_MODE +
+
+ ADMX_TerminalServer/TS_MAXDISPLAYRES +
+
+ ADMX_TerminalServer/TS_MAXMONITOR +
+
+ ADMX_TerminalServer/TS_MAX_CON_POLICY +
+
+ ADMX_TerminalServer/TS_NoDisconnectMenu +
+
+ ADMX_TerminalServer/TS_NoSecurityMenu +
+
+ ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP +
+
+ ADMX_TerminalServer/TS_PreventLicenseUpgrade +
+
+ ADMX_TerminalServer/TS_RADC_DefaultConnection +
+
+ ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration +
+
+ ADMX_TerminalServer/TS_RemoteControl_1 +
+
+ ADMX_TerminalServer/TS_RemoteControl_2 +
+
+ ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics +
+
+ ADMX_TerminalServer/TS_SD_ClustName +
+
+ ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS +
+
+ ADMX_TerminalServer/TS_SD_Loc +
+
+ ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY +
+
+ ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT +
+
+ ADMX_TerminalServer/TS_SELECT_TRANSPORT +
+
+ ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP +
+
+ ADMX_TerminalServer/TS_SERVER_AUTH +
+
+ ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED +
+
+ ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED +
+
+ ADMX_TerminalServer/TS_SERVER_COMPRESSOR +
+
+ ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY +
+
+ ADMX_TerminalServer/TS_SERVER_LEGACY_RFX +
+
+ ADMX_TerminalServer/TS_SERVER_PROFILE +
+
+ ADMX_TerminalServer/TS_SERVER_VISEXP +
+
+ ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER +
+
+ ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Limits_1 +
+
+ ADMX_TerminalServer/TS_SESSIONS_Limits_2 +
+
+ ADMX_TerminalServer/TS_SINGLE_SESSION +
+
+ ADMX_TerminalServer/TS_SMART_CARD +
+
+ ADMX_TerminalServer/TS_START_PROGRAM_1 +
+
+ ADMX_TerminalServer/TS_START_PROGRAM_2 +
+
+ ADMX_TerminalServer/TS_Session_End_On_Limit_1 +
+
+ ADMX_TerminalServer/TS_Session_End_On_Limit_2 +
+
+ ADMX_TerminalServer/TS_TEMP_DELETE +
+
+ ADMX_TerminalServer/TS_TEMP_PER_SESSION +
+
+ ADMX_TerminalServer/TS_TIME_ZONE +
+
+ ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY +
+
+ ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP +
+
+ ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE +
+
+ ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY +
+
+ ADMX_TerminalServer/TS_USER_HOME +
+
+ ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES +
+
+ ADMX_TerminalServer/TS_USER_PROFILES +
+
+ + +
+ + +**ADMX_TerminalServer/TS_AUTO_RECONNECT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. + +By default, a maximum of twenty reconnection attempts are made at five second intervals. + +If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. + +If the status is set to Disabled, automatic reconnection of clients is prohibited. + +If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatic reconnection* +- GP name: *TS_AUTO_RECONNECT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CAMERA_REDIRECTION** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. + +By default, a maximum of twenty reconnection attempts are made at five second intervals. + +If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. + +If the status is set to Disabled, automatic reconnection of clients is prohibited. + +If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Automatic reconnection* +- GP name: *TS_CAMERA_REDIRECTION* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. + +A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. + +If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. + +If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. + +If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. + +> [!NOTE] +> If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Server authentication certificate template* +- GP name: *TS_CERTIFICATE_TEMPLATE_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). + +If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. + +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow .rdp files from valid publishers and user's default .rdp settings* +- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). + +If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. + +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow .rdp files from valid publishers and user's default .rdp settings* +- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. + +If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow .rdp files from unknown publishers* +- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. + +If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. + +If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow .rdp files from unknown publishers* +- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_AUDIO** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remote Desktop Services session. + +Users can specify where to play the remote computer's audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the audio. Video playback can be configured by using the videoplayback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled. + +By default, audio and video playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. + +If you enable this policy setting, audio and video playback redirection is allowed. + +If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow audio and video playback redirection* +- GP name: *TS_CLIENT_AUDIO* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. + +Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can record audio by using an audio input device on the local computer, such as a built-in microphone. + +By default, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. + +If you enable this policy setting, audio recording redirection is allowed. + +If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC. + +If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow audio recording redirection* +- GP name: *TS_CLIENT_AUDIO_CAPTURE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. + +If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. + +The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. + +For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used. + +Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic. + +If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit audio playback quality* +- GP name: *TS_CLIENT_AUDIO_QUALITY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + From 328c42903f62092b0c41a3d3f8f628b2586dae2d Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 28 Oct 2020 17:18:14 -0700 Subject: [PATCH 15/37] Added TS policies --- .../mdm/policy-csp-admx-terminalserver.md | 5760 +++++++++++++++++ 1 file changed, 5760 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 74a8c02c29..d1a599cfa9 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -1021,6 +1021,5766 @@ ADMX Info:
+ +**ADMX_TerminalServer/TS_CLIENT_CLIPBOARD** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. + +You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. + +If you enable this policy setting, users cannot redirect Clipboard data. + +If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. + +If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow Clipboard redirection* +- GP name: *TS_CLIENT_CLIPBOARD* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_COM** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. + +You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. + +If you enable this policy setting, users cannot redirect server data to the local COM port. + +If you disable this policy setting, Remote Desktop Services always allows COM port redirection. + +If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow COM port redirection* +- GP name: *TS_CLIENT_COM* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_DEFAULT_M** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a session on an RD Session Host server. + +By default, Remote Desktop Services automatically designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to override this behavior. + +If you enable this policy setting, the default printer is the printer specified on the remote computer. If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection. + +If you do not configure this policy setting, the default printer is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not set default client printer to be default printer in a session* +- GP name: *TS_CLIENT_DEFAULT_M* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. + +For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow hardware accelerated decoding* +- GP name: *TS_CLIENT_DISABLE_HARDWARE_MODE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Controls whether a user can save passwords using Remote Desktop Connection. + +If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. + +If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow passwords to be saved* +- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_LPT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. + +You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection. + +If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. + +If you disable this policy setting, LPT port redirection is always allowed. + +If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow LPT port redirection* +- GP name: *TS_CLIENT_LPT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_PNP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. + +By default, Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices. + +If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. + +If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. + +> [!NOTE] +> You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow supported Plug and Play device redirection* +- GP name: *TS_CLIENT_PNP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_PRINTER** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. + +If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. + +If you disable this policy setting, users can redirect print jobs with client printer mapping. + +If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow client printer redirection* +- GP name: *TS_CLIENT_PRINTER* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. + +If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. + +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. +> +> This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that is not a certificate thumbprint, it is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* +- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. + +If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. + +If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. + +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. +> +> This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that is not a certificate thumbprint, it is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* +- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. + +If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. + +If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn Off UDP On Client* +- GP name: *TS_CLIENT_TURN_OFF_UDP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_COLORDEPTH** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections. + +You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load. + +If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used. + +If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level. + +> [!NOTE] +> - Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. +> - The value specified in this policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. +> - For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: +> +> - Value specified by this policy setting. +> - Maximum color depth supported by the client. +> - Value requested by the client If the client does not support at least 16 bits, the connection is terminated. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit maximum color depth* +- GP name: *TS_COLORDEPTH* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. + +This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. + +> [!NOTE] +> If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. + +If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. + +If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit the size of the entire roaming user profile cache* +- GP name: *TS_DELETE_ROAMING_USER_PROFILES* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether desktop wallpaper is displayed to clients when they are connected to a remote server using RDP. + +You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. + +If you enable this policy setting, wallpaper is not displayed in a Remote Desktop Services session. + +If you disable this policy setting, wallpaper is displayed in a Remote Desktop Services session, depending on the client configuration. + +If you do not configure this policy setting, Windows Vista displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2008 do not display wallpaper by default to Remote Desktop Services sessions. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove remote desktop wallpaper* +- GP name: *TS_DISABLE_REMOTE_DESKTOP_WALLPAPER* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions. If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter. + +If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter. + +If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. + +> [!NOTE] +> The policy setting affects only the default graphics processing unit (GPU) on a computer with more than one GPU installed. All additional GPUs are considered secondary adapters and used as hardware renderers. The GPU configuration of the local session is not affected by this policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use the hardware default graphics adapter for all Remote Desktop Services sessions* +- GP name: *TS_DX_USE_FULL_HWGPU* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_EASY_PRINT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. + +If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. + +If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. + +> [!NOTE] +> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use Remote Desktop Easy Print printer driver first* +- GP name: *TS_EASY_PRINT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_EASY_PRINT_User** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. + +If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. + +If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. + +> [!NOTE] +> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use Remote Desktop Easy Print printer driver first* +- GP name: *TS_EASY_PRINT_User* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_EnableVirtualGraphics** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. + +When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. + +When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. + +If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. + +If you disable this policy setting, RemoteFX will be disabled. + +If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure RemoteFX* +- GP name: *TS_EnableVirtualGraphics* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. + +By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. + +If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are: + +- "Do nothing if one is not found" - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior. +- "Default to PCL if one is not found" - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback printer driver. +- "Default to PS if one is not found" - If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver. +- "Show both PCL and PS if one is not found" - If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. + +If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver. + +If you do not configure this policy setting, the fallback printer driver behavior is off by default. + +> [!NOTE] +> If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify RD Session Host server fallback printer driver behavior* +- GP name: *TS_FALLBACKPRINTDRIVERTYPE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_FORCIBLE_LOGOFF** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. + +This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. + +If you enable this policy setting, logging off the connected administrator is not allowed. + +If you disable or do not configure this policy setting, logging off the connected administrator is allowed. + +> [!NOTE] +> The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Deny logoff of an administrator logged in to the console session* +- GP name: *TS_FORCIBLE_LOGOFF* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. + +If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set RD Gateway authentication method* +- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD* +- GP path: *Windows Components\Remote Desktop Services\RD Gateway* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. + +You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +> [!NOTE] +> To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. + +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. + +If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable connection through RD Gateway* +- GP name: *TS_GATEWAY_POLICY_ENABLE* +- GP path: *Windows Components\Remote Desktop Services\RD Gateway* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. + +> [!NOTE] +> It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. + +To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. + +> [!NOTE] +> If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set RD Gateway server address* +- GP name: *TS_GATEWAY_POLICY_SERVER* +- GP path: *Windows Components\Remote Desktop Services\RD Gateway* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role service must be installed on the server. + +If the policy setting is enabled, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting. If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. + +If the policy setting is not configured, the policy setting is not specified at the Group Policy level. + +> [!NOTE] +> - If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. +> - For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Join RD Connection Broker* +- GP name: *TS_JOIN_SESSION_DIRECTORY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_KEEP_ALIVE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent with the client state. + +After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. + +If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. + +If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure keep-alive connection interval* +- GP name: *TS_KEEP_ALIVE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_LICENSE_SECGROUP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remote Desktop Services client access licenses (RDS CALs). + +You can use this policy setting to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default, a license server issues an RDS CAL to any RD Session Host server that requests one. + +If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. By default, the RDS Endpoint Servers group is empty. + +If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting. + +> [!NOTE] +> You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *License server security group* +- GP name: *TS_LICENSE_SECGROUP* +- GP path: *Windows Components\Remote Desktop Services\RD Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_LICENSE_SERVERS** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers. + +If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: + +1. Remote Desktop license servers that are published in Active Directory Domain Services. +2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server. + +If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use the specified Remote Desktop license servers* +- GP name: *TS_LICENSE_SERVERS* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_LICENSE_TOOLTIP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with RD Licensing that affect the RD Session Host server. + +By default, notifications are displayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. + +If you enable this policy setting, these notifications will not be displayed on the RD Session Host server. + +If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide notifications about RD Licensing problems that affect the RD Session Host server* +- GP name: *TS_LICENSE_TOOLTIP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_LICENSING_MODE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to connect to this RD Session Host server. + +You can use this policy setting to select one of two licensing modes: Per User or Per Device. Per User licensing mode requires that each user account connecting to this RD Session Host server have an RDS Per User CAL. + +Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL. + +If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server. + +If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set the Remote Desktop licensing mode* +- GP name: *TS_LICENSING_MODE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_MAXDISPLAYRES** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly over slow links, and reduce server load. + +If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session. + +If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit maximum display resolution* +- GP name: *TS_MAXDISPLAYRES* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_MAXMONITOR** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance, particularly over slow links, and reduce server load. + +If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. + +If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit number of monitors* +- GP name: *TS_MAXMONITOR* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_MAX_CON_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. + +You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, addtional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions. + +To use this setting, enter the number of connections you want to specify as the maximum for the server. To specify an unlimited number of connections, type 999999. + +If the status is set to Enabled, the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode of Remote Desktop Services running on the server. + +If the status is set to Disabled or Not Configured, limits to the number of connections are not enforced at the Group Policy level. + +> [!NOTE] +> This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Limit number of connections* +- GP name: *TS_MAX_CON_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_NoDisconnectMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services sessions. + +You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box. + +If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box. + +> [!NOTE] +> This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove "Disconnect" option from Shut Down dialog* +- GP name: *TS_NoDisconnectMenu* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_NoSecurityMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. + +If the status is set to Enabled, Windows Security does not appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer. + +If the status is set to Disabled or Not Configured, Windows Security remains in the Settings menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Windows Security item from Start menu* +- GP name: *TS_NoSecurityMenu* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. + +If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials. + +> [!NOTE] +> If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. + +If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. + +For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prompt for credentials on the client computer* +- GP name: *TS_PROMT_CREDS_CLIENT_COMP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_PreventLicenseUpgrade** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-based operating systems. + +A license server attempts to provide the most appropriate RDS or TS CAL for a connection. For example, a Windows Server 2008 license server will try to issue a Windows Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 2008, and will try to issue a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003. + +By default, if the most appropriate RDS CAL is not available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following: + +- A client connecting to a Windows Server 2003 terminal server +- A client connecting to a Windows 2000 terminal server + +If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired. + +If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent license upgrade* +- GP name: *TS_PreventLicenseUpgrade* +- GP path: *Windows Components\Remote Desktop Services\RD Licensing* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RADC_DefaultConnection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. + +The default connection URL must be configured in the form of http://contoso.com/rdweb/Feed/webfeed.aspx. + +If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. + +If you disable or do not configure this policy setting, the user has no default connection URL. + +> [!NOTE] +> RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify default connection URL* +- GP name: *TS_RADC_DefaultConnection* +- GP path: *Windows Components\Remote Desktop Services\RemoteApp and Desktop Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. + +If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. + +If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Suspend user sign-in to complete app registration* +- GP name: *TS_RDSAppX_WaitForRegistration* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RemoteControl_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. + +Select the desired level of control and permission from the options list: + +1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. +2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. +3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. +4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. +5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. + +If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set rules for remote control of Remote Desktop Services user sessions* +- GP name: *TS_RemoteControl_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RemoteControl_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. + +Select the desired level of control and permission from the options list: + +1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. +2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. +3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. +4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. +5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. + +If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set rules for remote control of Remote Desktop Services user sessions* +- GP name: *TS_RemoteControl_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. + +Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). + +If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. + +By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Optimize visual experience when using RemoteFX* +- GP name: *TS_RemoteDesktopVirtualGraphics* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SD_ClustName** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services. + +If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. + +If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. + +> [!NOTE] +> - This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. +>- For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure RD Connection Broker farm name* +- GP name: *TS_SD_ClustName* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server. + +If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. + +If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. + +If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. + +> [!NOTE] +> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use IP Address Redirection* +- GP name: *TS_SD_EXPOSE_ADDRESS* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SD_Loc** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server. + +If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. + +If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. + +> [!NOTE] +> - For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. +> - This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. +> - To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure RD Connection Broker server name* +- GP name: *TS_SD_Loc* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. + +If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available: + +- Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. +- RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. +- SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. + +If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require use of specific security layer for remote (RDP) connections* +- GP name: *TS_SECURITY_LAYER_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). You can choose to disable Connect Time Detect, Continuous Network Detect, or both Connect Time Detect and Continuous Network Detect. + +If you disable Connect Time Detect, Remote Desktop Protocol will not determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. + +If you disable Continuous Network Detect, Remote Desktop Protocol will not try to adapt the remote user experience to varying network quality. + +If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality. + +If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select network detection on the server* +- GP name: *TS_SELECT_NETWORK_DETECT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SELECT_TRANSPORT** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server. + +If you enable this policy setting, you must specify if you would like RDP to use UDP. You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)". If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. + +If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP. + +If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select RDP transport protocols* +- GP name: *TS_SELECT_TRANSPORT* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. + +If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. + +If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use advanced RemoteFX graphics for RemoteApp* +- GP name: *TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_AUTH** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. + +If you enable this policy setting, you must specify one of the following settings: +- Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. +- Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. +- Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. + +If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure server authentication for client* +- GP name: *TS_SERVER_AUTH* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections* +- GP name: *TS_SERVER_AVC444_MODE_PREFERRED* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you disable or do not configure this policy, we will always use software encoding. + +If you set the encoding option to “Always Attempt”, Remote Desktop will always try to use H.264/AVC hardware encoding when available, be aware that, for Windows Server running Hyper-V with RemoteFX vGPU enabled, the policy has to be set on the Hyper-V host machine. + +If you set the encoding option to “Attempt only for RemoteFX vGPU virtual machines” be aware that, for Windows Server running Hyper-V with RemoteFX vGPU enabled, the policy has to be set on the Hyper-V host machine. + +If you set the encoding option to “Attempt only for non-RemoteFX vGPU scenarios”, Remote Desktop attempts to use hardware encoding for all scenarios except RemoteFX vGPU. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure H.264/AVC hardware encoding for Remote Desktop Connections* +- GP name: *TS_SERVER_AVC_HW_ENCODE_PREFERRED* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_COMPRESSOR** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. + +By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. + +If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. + +You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. + +If you disable or do not configure this policy setting, the default RDP compression algorithm will be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure compression for RemoteFX data* +- GP name: *TS_SERVER_COMPRESSOR* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered. + +If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. + +If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. + +If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. + +If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. + +If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure image quality for RemoteFX Adaptive Graphics* +- GP name: *TS_SERVER_IMAGE_QUALITY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_LEGACY_RFX** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. + +When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. + +When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. + +If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. + +If you disable this policy setting, RemoteFX will be disabled. + +If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure RemoteFX* +- GP name: *TS_SERVER_LEGACY_RFX* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_PROFILE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. + +If you enable this policy setting, the RemoteFX experience could be set to one of the following options: +1. Let the system choose the experience for the network condition +2. Optimize for server scalability +3. Optimize for minimum bandwidth usage + +If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure RemoteFX Adaptive Graphics* +- GP name: *TS_SERVER_PROFILE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_VISEXP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience. + +By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation. + +If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text. + +If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Optimize visual experience for Remote Desktop Service Sessions* +- GP name: *TS_SERVER_VISEXP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections* +- GP name: *TS_SERVER_WDDM_GRAPHICS_DRIVER* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. + +You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. + +If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. + +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. + +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time limit for disconnected sessions* +- GP name: *TS_SESSIONS_Disconnected_Timeout_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. + +You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. + +If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. + +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. + +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time limit for disconnected sessions* +- GP name: *TS_SESSIONS_Disconnected_Timeout_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. + +If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. + +If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time limit for active but idle Remote Desktop Services sessions* +- GP name: *TS_SESSIONS_Idle_Limit_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. + +If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. + +If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time limit for active but idle Remote Desktop Services sessions* +- GP name: *TS_SESSIONS_Idle_Limit_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SESSIONS_Limits_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. + +If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. + +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time limit for active Remote Desktop Services sessions* +- GP name: *TS_SESSIONS_Limits_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SESSIONS_Limits_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. + +If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. + +If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. + +If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. + +> [!NOTE] +> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set time limit for active Remote Desktop Services sessions* +- GP name: *TS_SESSIONS_Limits_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SINGLE_SESSION** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict users to a single Remote Desktop Services session. + +If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. + +If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. + +If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Restrict Remote Desktop Services users to a single Remote Desktop Services session* +- GP name: *TS_SINGLE_SESSION* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_SMART_CARD** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. + +If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. + +If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. + +> [!NOTE] +> The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow smart card device redirection* +- GP name: *TS_SMART_CARD* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_START_PROGRAM_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Configures Remote Desktop Services to run a specified program automatically upon connection. + +You can use this setting to specify a program to run automatically when a user logs on to a remote computer. + +By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. + +To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. + +If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. + +If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) + +> [!NOTE] +> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Start a program on connection* +- GP name: *TS_START_PROGRAM_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_START_PROGRAM_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Configures Remote Desktop Services to run a specified program automatically upon connection. + +You can use this setting to specify a program to run automatically when a user logs on to a remote computer. + +By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. + +To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. + +If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. + +If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) + +> [!NOTE] +> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Start a program on connection* +- GP name: *TS_START_PROGRAM_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_Session_End_On_Limit_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. + +You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. + +Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. + +If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. + +If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. + +> [!NOTE] +> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *End session when time limits are reached* +- GP name: *TS_Session_End_On_Limit_1* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_Session_End_On_Limit_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. + +You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. + +Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. + +If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. + +If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. + +> [!NOTE] +> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *End session when time limits are reached* +- GP name: *TS_Session_End_On_Limit_2* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_TEMP_DELETE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. + +You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user logs off. + +If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session. + +If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise. + +If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator. + +> [!NOTE] +> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not delete temp folders upon exit* +- GP name: *TS_TEMP_DELETE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_TEMP_PER_SESSION** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. + +You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid. + +If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. + +If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. + +If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not use temporary folders per session* +- GP name: *TS_TEMP_PER_SESSION* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_TIME_ZONE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. + +If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). + +If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. + +> [!NOTE] +> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow time zone redirection* +- GP name: *TS_TIME_ZONE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. + +You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. + +If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. + +If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. + +> [!NOTE] +> The preferred method of managing user access is by adding a user to the Remote Desktop Users group. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow local administrators to customize permissions* +- GP name: *TS_TSCC_PERMISSIONS_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy. + +If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings. + +If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. + +> [!NOTE] +> If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Always show desktop on connection* +- GP name: *TS_TURNOFF_SINGLEAPP* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. + +If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. + +If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. + +For this change to take effect, you must restart Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow RDP redirection of other supported RemoteFX USB devices from this computer* +- GP name: *TS_USB_REDIRECTION_DISABLE* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirection* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. + +If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. + +To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. + +If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. + +If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. + +> [!IMPORTANT] +> Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require user authentication for remote connections by using Network Level Authentication* +- GP name: *TS_USER_AUTHENTICATION_POLICY* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_USER_HOME** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Specifies whether Remote Desktop Services uses the specified network share or local directory path as the root of the user's home directory for a Remote Desktop Services session. + +To use this setting, select the location for the home directory (network or local) from the Location drop-down list. If you choose to place the directory on a network share, type the Home Dir Root Path in the form \\Computername\Sharename, and then select the drive letter to which you want the network share to be mapped. + +If you choose to keep the home directory on the local computer, type the Home Dir Root Path in the form "Drive:\Path" (without quotes), without environment variables or ellipses. Do not specify a placeholder for user alias, because Remote Desktop Services automatically appends this at logon. + +> [!NOTE] +> The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Remote Desktop Services places user home directories in the network location. + +If the status is set to Enabled, Remote Desktop Services creates the user's home directory in the specified location on the local computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias. + +If the status is set to Disabled or Not Configured, the user's home directory is as specified at the server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set Remote Desktop Services User Home Directory* +- GP name: *TS_USER_HOME* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server. + +If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile. + +If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server. + +> [!NOTE] +> For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use mandatory profiles on the RD Session Host server* +- GP name: *TS_USER_MANDATORY_PROFILES* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ + +**ADMX_TerminalServer/TS_USER_PROFILES** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. + +By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. + +If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. + +To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. + +If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. + +> [!NOTE] +> - The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session. +> - To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set path for Remote Desktop Services Roaming User Profile* +- GP name: *TS_USER_PROFILES* +- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* +- GP ADMX file name: *TerminalServer.admx* + + + +
+ Footnotes: - 1 - Available in Windows 10, version 1607. From 286c1ff5708a22c7f839c26f2243df910a422040 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 29 Oct 2020 16:28:12 -0700 Subject: [PATCH 16/37] Added ADMX_WindowsExplorer policies --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 71 + .../policy-configuration-service-provider.md | 219 + .../mdm/policy-csp-admx-windowsexplorer.md | 5367 +++++++++++++++++ 4 files changed, 5658 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-windowsexplorer.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 2f06abcfc0..41da383f69 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -226,6 +226,7 @@ #### [ADMX_WinCal](policy-csp-admx-wincal.md) #### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md) #### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) +#### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) #### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) #### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index da688c9114..5952cfc7ae 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -582,6 +582,77 @@ ms.date: 10/08/2020 - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1) - [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2) - [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar) +- [ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-checksamesourceandtargetforfranddfs) +- [ADMX_WindowsExplorer/ClassicShell](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-classicshell) +- [ADMX_WindowsExplorer/ConfirmFileDelete](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-confirmfiledelete) +- [ADMX_WindowsExplorer/DefaultLibrariesLocation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-defaultlibrarieslocation) +- [ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablebinddirectlytopropertysetstorage) +- [ADMX_WindowsExplorer/DisableIndexedLibraryExperience](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableindexedlibraryexperience) +- [ADMX_WindowsExplorer/DisableKnownFolders](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableknownfolders) +- [ADMX_WindowsExplorer/DisableSearchBoxSuggestions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablesearchboxsuggestions) +- [ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enableshellshortcuticonremotepath) +- [ADMX_WindowsExplorer/EnableSmartScreen](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enablesmartscreen) +- [ADMX_WindowsExplorer/EnforceShellExtensionSecurity](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enforceshellextensionsecurity) +- [ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-explorerribbonstartsminimized) +- [ADMX_WindowsExplorer/HideContentViewModeSnippets](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-hidecontentviewmodesnippets) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internet) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internetlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranet) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranetlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachine) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachinelockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restricted) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restrictedlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trusted) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trustedlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internet) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internetlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranet) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranetlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachine) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachinelockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restricted) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restrictedlockdown) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trusted) +- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trustedlockdown) +- [ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-linkresolveignorelinkinfo) +- [ADMX_WindowsExplorer/MaxRecentDocs](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-maxrecentdocs) +- [ADMX_WindowsExplorer/NoBackButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nobackbutton) +- [ADMX_WindowsExplorer/NoCDBurning](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocdburning) +- [ADMX_WindowsExplorer/NoCacheThumbNailPictures](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocachethumbnailpictures) +- [ADMX_WindowsExplorer/NoChangeAnimation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangeanimation) +- [ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangekeyboardnavigationindicators) +- [ADMX_WindowsExplorer/NoDFSTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodfstab) +- [ADMX_WindowsExplorer/NoDrives](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodrives) +- [ADMX_WindowsExplorer/NoEntireNetwork](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noentirenetwork) +- [ADMX_WindowsExplorer/NoFileMRU](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemru) +- [ADMX_WindowsExplorer/NoFileMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemenu) +- [ADMX_WindowsExplorer/NoFolderOptions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofolderoptions) +- [ADMX_WindowsExplorer/NoHardwareTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nohardwaretab) +- [ADMX_WindowsExplorer/NoManageMyComputerVerb](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomanagemycomputerverb) +- [ADMX_WindowsExplorer/NoMyComputerSharedDocuments](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomycomputershareddocuments) +- [ADMX_WindowsExplorer/NoNetConnectDisconnect](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonetconnectdisconnect) +- [ADMX_WindowsExplorer/NoNewAppAlert](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonewappalert) +- [ADMX_WindowsExplorer/NoPlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noplacesbar) +- [ADMX_WindowsExplorer/NoRecycleFiles](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norecyclefiles) +- [ADMX_WindowsExplorer/NoRunAsInstallPrompt](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norunasinstallprompt) +- [ADMX_WindowsExplorer/NoSearchInternetTryHarderButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosearchinternettryharderbutton) +- [ADMX_WindowsExplorer/NoSecurityTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosecuritytab) +- [ADMX_WindowsExplorer/NoShellSearchButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noshellsearchbutton) +- [ADMX_WindowsExplorer/NoStrCmpLogical](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nostrcmplogical) +- [ADMX_WindowsExplorer/NoViewContextMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewcontextmenu) +- [ADMX_WindowsExplorer/NoViewOnDrive](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewondrive) +- [ADMX_WindowsExplorer/NoWindowsHotKeys](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nowindowshotkeys) +- [ADMX_WindowsExplorer/NoWorkgroupContents](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noworkgroupcontents) +- [ADMX_WindowsExplorer/PlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-placesbar) +- [ADMX_WindowsExplorer/PromptRunasInstallNetPath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-promptrunasinstallnetpath) +- [ADMX_WindowsExplorer/RecycleBinSize](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-recyclebinsize) +- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-1) +- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-2) +- [ADMX_WindowsExplorer/ShowHibernateOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showhibernateoption) +- [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption) +- [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary) +- [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch) - [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline) - [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings) - [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 4f04904352..f30a3e0abe 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2091,6 +2091,225 @@ The following diagram shows the Policy configuration service provider in tree fo
+ +### ADMX_WindowsExplorer policies + +
+
+ ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS +
+
+ ADMX_WindowsExplorer/ClassicShell +
+
+ ADMX_WindowsExplorer/ConfirmFileDelete +
+
+ ADMX_WindowsExplorer/DefaultLibrariesLocation +
+
+ ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage +
+
+ ADMX_WindowsExplorer/DisableIndexedLibraryExperience +
+
+ ADMX_WindowsExplorer/DisableKnownFolders +
+
+ ADMX_WindowsExplorer/DisableSearchBoxSuggestions +
+
+ ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath +
+
+ ADMX_WindowsExplorer/EnableSmartScreen +
+
+ ADMX_WindowsExplorer/EnforceShellExtensionSecurity +
+
+ ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized +
+
+ ADMX_WindowsExplorer/HideContentViewModeSnippets +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown +
+
+ ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo +
+
+ ADMX_WindowsExplorer/MaxRecentDocs +
+
+ ADMX_WindowsExplorer/NoBackButton +
+
+ ADMX_WindowsExplorer/NoCDBurning +
+
+ ADMX_WindowsExplorer/NoCacheThumbNailPictures +
+
+ ADMX_WindowsExplorer/NoChangeAnimation +
+
+ ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators +
+
+ ADMX_WindowsExplorer/NoDFSTab +
+
+ ADMX_WindowsExplorer/NoDrives +
+
+ ADMX_WindowsExplorer/NoEntireNetwork +
+
+ ADMX_WindowsExplorer/NoFileMRU +
+
+ ADMX_WindowsExplorer/NoFileMenu +
+
+ ADMX_WindowsExplorer/NoFolderOptions +
+
+ ADMX_WindowsExplorer/NoHardwareTab +
+
+ ADMX_WindowsExplorer/NoManageMyComputerVerb +
+
+ ADMX_WindowsExplorer/NoMyComputerSharedDocuments +
+
+ ADMX_WindowsExplorer/NoNetConnectDisconnect +
+
+ ADMX_WindowsExplorer/NoNewAppAlert +
+
+ ADMX_WindowsExplorer/NoPlacesBar +
+
+ ADMX_WindowsExplorer/NoRecycleFiles +
+
+ ADMX_WindowsExplorer/NoRunAsInstallPrompt +
+
+ ADMX_WindowsExplorer/NoSearchInternetTryHarderButton +
+
+ ADMX_WindowsExplorer/NoSecurityTab +
+
+ ADMX_WindowsExplorer/NoShellSearchButton +
+
+ ADMX_WindowsExplorer/NoStrCmpLogical +
+
+ ADMX_WindowsExplorer/NoViewContextMenu +
+
+ ADMX_WindowsExplorer/NoViewOnDrive +
+
+ ADMX_WindowsExplorer/NoWindowsHotKeys +
+
+ ADMX_WindowsExplorer/NoWorkgroupContents +
+
+ ADMX_WindowsExplorer/PlacesBar +
+
+ ADMX_WindowsExplorer/PromptRunasInstallNetPath +
+
+ ADMX_WindowsExplorer/RecycleBinSize +
+
+ ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 +
+
+ ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 +
+
+ ADMX_WindowsExplorer/ShowHibernateOption +
+
+ ADMX_WindowsExplorer/ShowSleepOption +
+
+ ADMX_WindowsExplorer/TryHarderPinnedLibrary +
+
+ ADMX_WindowsExplorer/TryHarderPinnedOpenSearch +
+
+ ### ADMX_WindowsMediaDRM policies
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md new file mode 100644 index 0000000000..da00432094 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -0,0 +1,5367 @@ +--- +title: Policy CSP - ADMX_WindowsExplorer +description: Policy CSP - ADMX_WindowsExplorer +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 10/29/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_WindowsExplorer +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + + +## ADMX_WindowsExplorer policies + +
+
+ ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS +
+
+ ADMX_WindowsExplorer/ClassicShell +
+
+ ADMX_WindowsExplorer/ConfirmFileDelete +
+
+ ADMX_WindowsExplorer/DefaultLibrariesLocation +
+
+ ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage +
+
+ ADMX_WindowsExplorer/DisableIndexedLibraryExperience +
+
+ ADMX_WindowsExplorer/DisableKnownFolders +
+
+ ADMX_WindowsExplorer/DisableSearchBoxSuggestions +
+
+ ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath +
+
+ ADMX_WindowsExplorer/EnableSmartScreen +
+
+ ADMX_WindowsExplorer/EnforceShellExtensionSecurity +
+
+ ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized +
+
+ ADMX_WindowsExplorer/HideContentViewModeSnippets +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted +
+
+ ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown +
+
+ ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo +
+
+ ADMX_WindowsExplorer/MaxRecentDocs +
+
+ ADMX_WindowsExplorer/NoBackButton +
+
+ ADMX_WindowsExplorer/NoCDBurning +
+
+ ADMX_WindowsExplorer/NoCacheThumbNailPictures +
+
+ ADMX_WindowsExplorer/NoChangeAnimation +
+
+ ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators +
+
+ ADMX_WindowsExplorer/NoDFSTab +
+
+ ADMX_WindowsExplorer/NoDrives +
+
+ ADMX_WindowsExplorer/NoEntireNetwork +
+
+ ADMX_WindowsExplorer/NoFileMRU +
+
+ ADMX_WindowsExplorer/NoFileMenu +
+
+ ADMX_WindowsExplorer/NoFolderOptions +
+
+ ADMX_WindowsExplorer/NoHardwareTab +
+
+ ADMX_WindowsExplorer/NoManageMyComputerVerb +
+
+ ADMX_WindowsExplorer/NoMyComputerSharedDocuments +
+
+ ADMX_WindowsExplorer/NoNetConnectDisconnect +
+
+ ADMX_WindowsExplorer/NoNewAppAlert +
+
+ ADMX_WindowsExplorer/NoPlacesBar +
+
+ ADMX_WindowsExplorer/NoRecycleFiles +
+
+ ADMX_WindowsExplorer/NoRunAsInstallPrompt +
+
+ ADMX_WindowsExplorer/NoSearchInternetTryHarderButton +
+
+ ADMX_WindowsExplorer/NoSecurityTab +
+
+ ADMX_WindowsExplorer/NoShellSearchButton +
+
+ ADMX_WindowsExplorer/NoStrCmpLogical +
+
+ ADMX_WindowsExplorer/NoViewContextMenu +
+
+ ADMX_WindowsExplorer/NoViewOnDrive +
+
+ ADMX_WindowsExplorer/NoWindowsHotKeys +
+
+ ADMX_WindowsExplorer/NoWorkgroupContents +
+
+ ADMX_WindowsExplorer/PlacesBar +
+
+ ADMX_WindowsExplorer/PromptRunasInstallNetPath +
+
+ ADMX_WindowsExplorer/RecycleBinSize +
+
+ ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1 +
+
+ ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2 +
+
+ ADMX_WindowsExplorer/ShowHibernateOption +
+
+ ADMX_WindowsExplorer/ShowSleepOption +
+
+ ADMX_WindowsExplorer/TryHarderPinnedLibrary +
+
+ ADMX_WindowsExplorer/TryHarderPinnedOpenSearch +
+
+ + +
+ + +**ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths. + +If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted. + +If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different. + +> [!NOTE] +> If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Verify old and new Folder Redirection targets point to the same share before redirecting* +- GP name: *CheckSameSourceAndTargetForFRAndDFS* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/ClassicShell** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. + +If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features. + +Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. + +If you disable or not configure this policy, the default File Explorer behavior is applied to the user. + +> [!NOTE] +> In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on Classic Shell* +- GP name: *ClassicShell* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ConfirmFileDelete** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. + +If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. + +If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Display confirmation dialog when deleting files* +- GP name: *ConfirmFileDelete* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/DefaultLibrariesLocation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a location where all default Library definition files for users/machines reside. + +If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined. + +If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Location where all default Library definition files for users/machines reside.* +- GP name: *DefaultLibrariesLocation* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. + +This behavior is consistent with Windows Vista's behavior in this scenario. + +This disables access to user-defined properties, and properties stored in NTFS secondary streams. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable binding directly to IPropertySetStorage without intermediate layers.* +- GP name: *DisableBindDirectlyToPropertySetStorage* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/DisableIndexedLibraryExperience** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. + +If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations. + +Setting this policy will: + +- Disable all Arrangement views except for "By Folder" +- Disable all Search filter suggestions other than "Date Modified" and "Size" +- Disable view of file content snippets in Content mode when search results are returned +- Disable ability to stack in the Context menu and Column headers +- Exclude Libraries from the scope of Start search This policy will not enable users to add unsupported locations to Libraries + +If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled. + +If you disable or do not configure this policy, all default Windows Libraries features will be enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Libraries features that rely on indexed file data* +- GP name: *DisableIndexedLibraryExperience* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/DisableKnownFolders** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a list of known folders that should be disabled. + +Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder. + +You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos. + +> [!NOTE] +> Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Known Folders* +- GP name: *DisableKnownFolders* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/DisableSearchBoxSuggestions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. + +File Explorer shows suggestion pop-ups as users type into the Search Box. + +These suggestions are based on their past entries into the Search Box. + +> [!NOTE] +> If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off display of recent search entries in the File Explorer search box* +- GP name: *DisableSearchBoxSuggestions* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. + +If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. + +If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed. + +> [!NOTE] +> Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow the use of remote paths in file shortcut icons* +- GP name: *EnableShellShortcutIconRemotePath* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/EnableSmartScreen** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. + +Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. + +If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: + +- Warn and prevent bypass +- Warn + +If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. + +If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. + +If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure Windows Defender SmartScreen* +- GP name: *EnableSmartScreen* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/EnforceShellExtensionSecurity** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This setting is designed to ensure that shell extensions can operate on a per-user basis. + +If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. A shell extension only runs if there is an entry in at least one of the following locations in registry. + +For shell extensions that have been approved by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. + +For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow only per user or approved shell extensions* +- GP name: *EnforceShellExtensionSecurity* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. + +If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows. + +If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Start File Explorer with ribbon minimized* +- GP name: *ExplorerRibbonStartsMinimized* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/HideContentViewModeSnippets** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the display of snippets in Content view mode. + +If you enable this policy setting, File Explorer will not display snippets in Content view mode. + +If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the display of snippets in Content view mode* +- GP name: *HideContentViewModeSnippets* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_Internet* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_InternetLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_Intranet* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_IntranetLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_LocalMachine* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_LocalMachineLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_Restricted* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_RestrictedLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_Trusted* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item. + +If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer. + +Changes to this setting may not be applied until the user logs off from Windows. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer* +- GP name: *IZ_Policy_OpenSearchPreview_TrustedLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_Internet* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_InternetLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_Intranet* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_IntranetLockdown* +- GP path: *WWindows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_LocalMachine* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_LocalMachineLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_Restricted* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_RestrictedLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_Trusted* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files. + +If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + +If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors. + +If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow OpenSearch queries in File Explorer* +- GP name: *IZ_Policy_OpenSearchQuery_TrustedLockdown* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system. + +Shortcut files typically include an absolute path to the original target file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the original path might lead to a network computer, including external resources, such as an Internet server. + +If you enable this policy setting, Windows only searches the current target path. It does not search for the original path even when it cannot find the target file in the current target path. + +If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not track Shell shortcuts during roaming* +- GP name: *LinkResolveIgnoreLinkInfo* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/MaxRecentDocs** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. + +If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting. + +If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maximum number of recent documents* +- GP name: *MaxRecentDocs* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoBackButton** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs. + +If you enable this policy setting, the Back button is removed from the standard Open dialog box. + +If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open. + +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the common dialog back button* +- GP name: *NoBackButton* +- GP path: *Windows Components\File Explorer\Common Open File Dialog* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoCDBurning** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. + +If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed. + +If you disable or do not configure this policy setting, users are able to use the File Explorer CD burning features. + +> [!NOTE] +> This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove CD Burning features* +- GP name: *NoCDBurning* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoCacheThumbNailPictures** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off caching of thumbnail pictures. + +If you enable this policy setting, thumbnail views are not cached. + +If you disable or do not configure this policy setting, thumbnail views are cached. + +> [!NOTE] +> For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off caching of thumbnail pictures* +- GP name: *NoCacheThumbNailPictures* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoChangeAnimation** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists. + +If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users. + +Effects, such as animation, are designed to enhance the user's experience but might be confusing or distracting to some users. + +If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove UI to change menu animation setting* +- GP name: *NoChangeAnimation* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT. + +Effects, such as transitory underlines, are designed to enhance the user's experience but might be confusing or distracting to some users. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove UI to change keyboard navigation indicator setting* +- GP name: *NoChangeKeyboardNavigationIndicators* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoDFSTab** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the DFS tab from File Explorer. + +If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. This policy setting does not prevent users from using other methods to configure DFS. + +If you disable or do not configure this policy setting, the DFS tab is available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove DFS tab* +- GP name: *NoDFSTab* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoDrives** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide these specified drives in My Computer. + +This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box. + +If you enable this policy setting, select a drive or combination of drives in the drop-down list. + +> [!NOTE] +> This policy setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window. Also, this policy setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics. + +If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. Also, see the "Prevent access to drives from My Computer" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide these specified drives in My Computer* +- GP name: *NoDrives* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoEntireNetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations. + +If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option. + +This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box. + +To remove computers in the user's workgroup or domain from lists of network resources, use the "No Computers Near Me in Network Locations" setting. + +> [!NOTE] +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *No Entire Network in Network Locations* +- GP name: *NoEntireNetwork* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoFileMRU** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the list of most recently used files from the Open dialog box. + +If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box. + +This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. + +To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. + +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the dropdown list of recent files* +- GP name: *NoFileMRU* +- GP path: *Windows Components\File Explorer\Common Open File Dialog* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoFileMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the File menu from My Computer and File Explorer. + +This setting does not prevent users from using other methods to perform tasks available on the File menu. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove File menu from File Explorer* +- GP name: *NoFileMenu* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoFolderOptions** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer. + +Folder Options allows users to change the way files and folders open, what appears in the navigation pane, and other advanced view settings. + +If you enable this policy setting, users will receive an error message if they tap or click the Options button or choose the Change folder and search options command, and they will not be able to open Folder Options. + +If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon* +- GP name: *NoFolderOptions* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoHardwareTab** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Hardware tab* +- GP name: *NoHardwareTab* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoManageMyComputerVerb** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer. + +The Manage item opens Computer Management (Compmgmt.msc), a console tool that includes many of the primary Windows 2000 administrative tools, such as Event Viewer, Device Manager, and Disk Management. You must be an administrator to use many of the features of these tools. + +This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management. + +> [!TIP] +> To hide all context menus, use the "Remove File Explorer's default context menu" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hides the Manage item on the File Explorer context menu* +- GP name: *NoManageMyComputerVerb* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoMyComputerSharedDocuments** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed. + +If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer. + +If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup. + +> [!NOTE] +> The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Shared Documents from My Computer* +- GP name: *NoMyComputerSharedDocuments* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoNetConnectDisconnect** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from using File Explorer or Network Locations to map or disconnect network drives. + +If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons. + +This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. + +> [!NOTE] +> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. +> +> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove "Map Network Drive" and "Disconnect Network Drive"* +- GP name: *NoNetConnectDisconnect* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoNewAppAlert** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:). + +If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not show the 'new application installed' notification* +- GP name: *NoNewAppAlert* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoPlacesBar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. + +To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. + +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the common dialog places bar* +- GP name: *NoPlacesBar* +- GP path: *Windows Components\File Explorer\Common Open File Dialog* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoRecycleFiles** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior. + +If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted. + +If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recyele Bin. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not move deleted files to the Recycle Bin* +- GP name: *NoRecycleFiles* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoRunAsInstallPrompt** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from submitting alternate logon credentials to install a program. + +This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. + +Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. + +If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer. + +By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not request alternate credentials* +- GP name: *NoRunAsInstallPrompt* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoSearchInternetTryHarderButton** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window. + +If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms. + +If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove the Search the Internet "Search again" link* +- GP name: *NoSearchInternetTryHarderButton* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoSecurityTab** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes the Security tab from File Explorer. + +If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question. + +If you disable or do not configure this setting, users will be able to access the security tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Security tab* +- GP name: *NoSecurityTab* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoShellSearchButton** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. + +If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar. + +This policy setting does not affect the Search items on the File Explorer context menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Search button from File Explorer* +- GP name: *NoShellSearchButton* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoStrCmpLogical** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. + +If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3). + +If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off numerical sorting in File Explorer* +- GP name: *NoStrCmpLogical* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoViewContextMenu** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item. + +If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove File Explorer's default context menu* +- GP name: *NoViewContextMenu* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoViewOnDrive** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives. + +If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives. + +To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list. + +> [!NOTE] +> The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action. +> +> Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. Also, see the "Hide these specified drives in My Computer" setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent access to drives from My Computer* +- GP name: *NoViewOnDrive* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoWindowsHotKeys** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. + +By using this setting, you can disable these Windows Key hotkeys. + +If you enable this setting, the Windows Key hotkeys are unavailable. + +If you disable or do not configure this setting, the Windows Key hotkeys are available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Windows Key hotkeys* +- GP name: *NoWindowsHotKeys* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/NoWorkgroupContents** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations. + +If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser. + +If you disable or do not configure this policy setting, computers in the user's workgroup and domain appear in lists of network resources in File Explorer and Network Locations. + +This policy setting does not prevent users from connecting to computers in their workgroup or domain by other commonly used methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box. + +To remove network computers from lists of network resources, use the "No Entire Network in Network Locations" policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *No Computers Near Me in Network Locations* +- GP name: *NoWorkgroupContents* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/PlacesBar** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. + +The valid items you may display in the Places Bar are: + +1. Shortcuts to a local folders -- (example: `C:\Windows`) +2. Shortcuts to remote folders -- (`\\server\share`) +3. FTP folders +4. web folders +5. Common Shell folders. + +The list of Common Shell Folders that may be specified: + +Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches. + +If you disable or do not configure this setting the default list of items will be displayed in the Places Bar. + +> [!NOTE] +> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Items displayed in Places Bar* +- GP name: *PlacesBar* +- GP path: *Windows Components\File Explorer\Common Open File Dialog* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/PromptRunasInstallNetPath** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Prompts users for alternate logon credentials during network-based installations. + +This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection. + +If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media. + +The "Install Program as Other User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials. + +If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly. + +> [!NOTE] +> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Request credentials for network installations* +- GP name: *PromptRunasInstallNetPath* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/RecycleBinSize** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Limits the percentage of a volume's disk space that can be used to store deleted files. + +If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation. + +If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin. + +> [!NOTE] +> This setting is applied to all volumes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Maximum allowed Recycle Bin size* +- GP name: *RecycleBinSize* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. + +If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. + +If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + +If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off shell protocol protected mode* +- GP name: *ShellProtocolProtectedModeTitle_1* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. + +If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files. + +If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + +If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off shell protocol protected mode* +- GP name: *ShellProtocolProtectedModeTitle_2* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ShowHibernateOption** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Shows or hides hibernate from the power options menu. + +If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). + +If you disable this policy setting, the hibernate option will never be shown in the Power Options menu. + +If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show hibernate in the power options menu* +- GP name: *ShowHibernateOption* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/ShowSleepOption** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in the latest Windows 10 Insider Preview Build. Shows or hides sleep from the power options menu. + +If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). + +If you disable this policy setting, the sleep option will never be shown in the Power Options menu. + +If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Show sleep in the power options menu* +- GP name: *ShowSleepOption* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/TryHarderPinnedLibrary** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file. + +You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. + +The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links. + +If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links. + +If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Pin Libraries or Search Connectors to the "Search again" links and the Start menu* +- GP name: *TryHarderPinnedLibrary* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ + +**ADMX_WindowsExplorer/TryHarderPinnedOpenSearch** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searchTerms}). + +You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. + +The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links. + +If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links. + +If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Pin Internet search sites to the "Search again" links and the Start menu* +- GP name: *TryHarderPinnedOpenSearch* +- GP path: *Windows Components\File Explorer* +- GP ADMX file name: *WindowsExplorer.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + \ No newline at end of file From d0584bde816c72b2ca8b8871c03a9a14673042fd Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 29 Oct 2020 16:34:43 -0700 Subject: [PATCH 17/37] Fixed broken links --- .../mdm/policies-in-policy-csp-admx-backed.md | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 5952cfc7ae..f17aa74561 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -395,28 +395,28 @@ ms.date: 10/08/2020 - [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey) - [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff) - [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled) -- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md.#admx-taskbar-disablenotificationcenter) -- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md.#admx-taskbar-enablelegacyballoonnotifications) -- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md.#admx-taskbar-hidescahealth) -- [ADMX_Taskbar/HideSCANetwork](./policy-csp-admx-taskbar.md.#admx-taskbar-hidescanetwork) -- [ADMX_Taskbar/HideSCAPower](./policy-csp-admx-taskbar.md.#admx-taskbar-hidescapower) -- [ADMX_Taskbar/HideSCAVolume](./policy-csp-admx-taskbar.md.#admx-taskbar-hidescavolume) -- [ADMX_Taskbar/NoBalloonFeatureAdvertisements](./policy-csp-admx-taskbar.md.#admx-taskbar-noballoonfeatureadvertisements) -- [ADMX_Taskbar/NoPinningStoreToTaskbar](./policy-csp-admx-taskbar.md.#admx-taskbar-nopinningstoretotaskbar) -- [ADMX_Taskbar/NoPinningToDestinations](./policy-csp-admx-taskbar.md.#admx-taskbar-nopinningtodestinations) -- [ADMX_Taskbar/NoPinningToTaskbar](./policy-csp-admx-taskbar.md.#admx-taskbar-nopinningtotaskbar) -- [ADMX_Taskbar/NoRemoteDestinations](./policy-csp-admx-taskbar.md.#admx-taskbar-noremotedestinations) -- [ADMX_Taskbar/NoSystraySystemPromotion](./policy-csp-admx-taskbar.md.#admx-taskbar-nosystraysystempromotion) -- [ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar](./policy-csp-admx-taskbar.md.#admx-taskbar-showwindowsstoreappsontaskbar) -- [ADMX_Taskbar/TaskbarLockAll](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarlockall) -- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnoaddremovetoolbar) -- [ADMX_Taskbar/TaskbarNoDragToolbar](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnodragtoolbar) -- [ADMX_Taskbar/TaskbarNoMultimon](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnomultimon) -- [ADMX_Taskbar/TaskbarNoNotification](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnonotification) -- [ADMX_Taskbar/TaskbarNoPinnedList](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnopinnedlist) -- [ADMX_Taskbar/TaskbarNoRedock](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnoredock) -- [ADMX_Taskbar/TaskbarNoResize](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnoresize) -- [ADMX_Taskbar/TaskbarNoThumbnail](./policy-csp-admx-taskbar.md.#admx-taskbar-taskbarnothumbnail) +- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter) +- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications) +- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth) +- [ADMX_Taskbar/HideSCANetwork](./policy-csp-admx-taskbar.md#admx-taskbar-hidescanetwork) +- [ADMX_Taskbar/HideSCAPower](./policy-csp-admx-taskbar.md#admx-taskbar-hidescapower) +- [ADMX_Taskbar/HideSCAVolume](./policy-csp-admx-taskbar.md#admx-taskbar-hidescavolume) +- [ADMX_Taskbar/NoBalloonFeatureAdvertisements](./policy-csp-admx-taskbar.md#admx-taskbar-noballoonfeatureadvertisements) +- [ADMX_Taskbar/NoPinningStoreToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningstoretotaskbar) +- [ADMX_Taskbar/NoPinningToDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtodestinations) +- [ADMX_Taskbar/NoPinningToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtotaskbar) +- [ADMX_Taskbar/NoRemoteDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-noremotedestinations) +- [ADMX_Taskbar/NoSystraySystemPromotion](./policy-csp-admx-taskbar.md#admx-taskbar-nosystraysystempromotion) +- [ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-showwindowsstoreappsontaskbar) +- [ADMX_Taskbar/TaskbarLockAll](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarlockall) +- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoaddremovetoolbar) +- [ADMX_Taskbar/TaskbarNoDragToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnodragtoolbar) +- [ADMX_Taskbar/TaskbarNoMultimon](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnomultimon) +- [ADMX_Taskbar/TaskbarNoNotification](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnonotification) +- [ADMX_Taskbar/TaskbarNoPinnedList](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnopinnedlist) +- [ADMX_Taskbar/TaskbarNoRedock](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoredock) +- [ADMX_Taskbar/TaskbarNoResize](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoresize) +- [ADMX_Taskbar/TaskbarNoThumbnail](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnothumbnail) - [ADMX_tcpip/6to4_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name) - [ADMX_tcpip/6to4_Router_Name_Resolution_Interval](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name-resolution-interval) - [ADMX_tcpip/6to4_State](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-state) From 9922884fabd97b45af588d4e9f71e752e6df45fd Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 6 Nov 2020 11:40:43 -0800 Subject: [PATCH 18/37] Added Phase 2a policies --- .../mdm/policies-in-policy-csp-admx-backed.md | 108 + .../policy-configuration-service-provider.md | 339 + .../mdm/policy-csp-admx-terminalserver.md | 6796 ----------------- 3 files changed, 447 insertions(+), 6796 deletions(-) delete mode 100644 windows/client-management/mdm/policy-csp-admx-terminalserver.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index f17aa74561..8ede74a7a6 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -56,6 +56,10 @@ ms.date: 10/08/2020 - [ADMX_Bits/BITS_MaxJobsPerMachine](./policy-csp-admx-bits.md#admx-bits-bits-maxjobspermachine) - [ADMX_Bits/BITS_MaxJobsPerUser](./policy-csp-admx-bits.md#admx-bits-bits-maxjobsperuser) - [ADMX_Bits/BITS_MaxRangesPerFile](./policy-csp-admx-bits.md#admx-bits-bits-maxrangesperfile) +- [ADMX_CipherSuiteOrder/SSLCipherSuiteOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslciphersuiteorder) +- [ADMX_CipherSuiteOrder/SSLCurveOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslcurveorder) +- [ADMX_COM/AppMgmt_COM_SearchForCLSID_1](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-1) +- [ADMX_COM/AppMgmt_COM_SearchForCLSID_2](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-2) - [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile) - [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword) - [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer) @@ -135,6 +139,110 @@ ms.date: 10/08/2020 - [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb) - [ADMX_MMC/MMC_Restrict_Author](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-author) - [ADMX_MMC/MMC_Restrict_To_Permitted_Snapins](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-to-permitted-snapins) +- [ADMX_MMCSnapins/MMC_ADMComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-1) +- [ADMX_MMCSnapins/MMC_ADMComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-2) +- [ADMX_MMCSnapins/MMC_ADMUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-1) +- [ADMX_MMCSnapins/MMC_ADMUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-2) +- [ADMX_MMCSnapins/MMC_ADSI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-adsi) +- [ADMX_MMCSnapins/MMC_ActiveDirDomTrusts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirdomtrusts) +- [ADMX_MMCSnapins/MMC_ActiveDirSitesServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirsitesservices) +- [ADMX_MMCSnapins/MMC_ActiveDirUsersComp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activediruserscomp) +- [ADMX_MMCSnapins/MMC_AppleTalkRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-appletalkrouting) +- [ADMX_MMCSnapins/MMC_AuthMan](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-authman) +- [ADMX_MMCSnapins/MMC_CertAuth](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauth) +- [ADMX_MMCSnapins/MMC_CertAuthPolSet](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauthpolset) +- [ADMX_MMCSnapins/MMC_Certs](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certs) +- [ADMX_MMCSnapins/MMC_CertsTemplate](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certstemplate) +- [ADMX_MMCSnapins/MMC_ComponentServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-componentservices) +- [ADMX_MMCSnapins/MMC_ComputerManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-computermanagement) +- [ADMX_MMCSnapins/MMC_ConnectionSharingNAT](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-connectionsharingnat) +- [ADMX_MMCSnapins/MMC_DCOMCFG](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dcomcfg) +- [ADMX_MMCSnapins/MMC_DFS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dfs) +- [ADMX_MMCSnapins/MMC_DHCPRelayMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dhcprelaymgmt) +- [ADMX_MMCSnapins/MMC_DeviceManager_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-1) +- [ADMX_MMCSnapins/MMC_DeviceManager_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-2) +- [ADMX_MMCSnapins/MMC_DiskDefrag](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskdefrag) +- [ADMX_MMCSnapins/MMC_DiskMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskmgmt) +- [ADMX_MMCSnapins/MMC_EnterprisePKI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-enterprisepki) +- [ADMX_MMCSnapins/MMC_EventViewer_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-1) +- [ADMX_MMCSnapins/MMC_EventViewer_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-2) +- [ADMX_MMCSnapins/MMC_EventViewer_3](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-3) +- [ADMX_MMCSnapins/MMC_EventViewer_4](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-4) +- [ADMX_MMCSnapins/MMC_FAXService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-faxservice) +- [ADMX_MMCSnapins/MMC_FailoverClusters](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-failoverclusters) +- [ADMX_MMCSnapins/MMC_FolderRedirection_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-1) +- [ADMX_MMCSnapins/MMC_FolderRedirection_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-2) +- [ADMX_MMCSnapins/MMC_FrontPageExt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-frontpageext) +- [ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicymanagementsnapin) +- [ADMX_MMCSnapins/MMC_GroupPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicysnapin) +- [ADMX_MMCSnapins/MMC_GroupPolicyTab](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicytab) +- [ADMX_MMCSnapins/MMC_HRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-hra) +- [ADMX_MMCSnapins/MMC_IAS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ias) +- [ADMX_MMCSnapins/MMC_IASLogging](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iaslogging) +- [ADMX_MMCSnapins/MMC_IEMaintenance_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-1) +- [ADMX_MMCSnapins/MMC_IEMaintenance_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-2) +- [ADMX_MMCSnapins/MMC_IGMPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-igmprouting) +- [ADMX_MMCSnapins/MMC_IIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iis) +- [ADMX_MMCSnapins/MMC_IPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iprouting) +- [ADMX_MMCSnapins/MMC_IPSecManage_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage-gp) +- [ADMX_MMCSnapins/MMC_IPXRIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxriprouting) +- [ADMX_MMCSnapins/MMC_IPXRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxrouting) +- [ADMX_MMCSnapins/MMC_IPXSAPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxsaprouting) +- [ADMX_MMCSnapins/MMC_IndexingService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-indexingservice) +- [ADMX_MMCSnapins/MMC_IpSecManage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage) +- [ADMX_MMCSnapins/MMC_IpSecMonitor](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmonitor) +- [ADMX_MMCSnapins/MMC_LocalUsersGroups](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-localusersgroups) +- [ADMX_MMCSnapins/MMC_LogicalMappedDrives](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-logicalmappeddrives) +- [ADMX_MMCSnapins/MMC_NPSUI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-npsui) +- [ADMX_MMCSnapins/MMC_NapSnap](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap) +- [ADMX_MMCSnapins/MMC_NapSnap_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap-gp) +- [ADMX_MMCSnapins/MMC_Net_Framework](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-net-framework) +- [ADMX_MMCSnapins/MMC_OCSP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ocsp) +- [ADMX_MMCSnapins/MMC_OSPFRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ospfrouting) +- [ADMX_MMCSnapins/MMC_PerfLogsAlerts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-perflogsalerts) +- [ADMX_MMCSnapins/MMC_PublicKey](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-publickey) +- [ADMX_MMCSnapins/MMC_QoSAdmission](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-qosadmission) +- [ADMX_MMCSnapins/MMC_RAS_DialinUser](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ras-dialinuser) +- [ADMX_MMCSnapins/MMC_RIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-riprouting) +- [ADMX_MMCSnapins/MMC_RIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ris) +- [ADMX_MMCSnapins/MMC_RRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rra) +- [ADMX_MMCSnapins/MMC_RSM](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rsm) +- [ADMX_MMCSnapins/MMC_RemStore](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remstore) +- [ADMX_MMCSnapins/MMC_RemoteAccess](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remoteaccess) +- [ADMX_MMCSnapins/MMC_RemoteDesktop](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remotedesktop) +- [ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-resultantsetofpolicysnapin) +- [ADMX_MMCSnapins/MMC_Routing](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-routing) +- [ADMX_MMCSnapins/MMC_SCA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sca) +- [ADMX_MMCSnapins/MMC_SMTPProtocol](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-smtpprotocol) +- [ADMX_MMCSnapins/MMC_SNMP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-snmp) +- [ADMX_MMCSnapins/MMC_ScriptsMachine_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-1) +- [ADMX_MMCSnapins/MMC_ScriptsMachine_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-2) +- [ADMX_MMCSnapins/MMC_ScriptsUser_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-1) +- [ADMX_MMCSnapins/MMC_ScriptsUser_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-2) +- [ADMX_MMCSnapins/MMC_SecuritySettings_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-1) +- [ADMX_MMCSnapins/MMC_SecuritySettings_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-2) +- [ADMX_MMCSnapins/MMC_SecurityTemplates](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitytemplates) +- [ADMX_MMCSnapins/MMC_SendConsoleMessage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sendconsolemessage) +- [ADMX_MMCSnapins/MMC_ServerManager](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servermanager) +- [ADMX_MMCSnapins/MMC_ServiceDependencies](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servicedependencies) +- [ADMX_MMCSnapins/MMC_Services](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-services) +- [ADMX_MMCSnapins/MMC_SharedFolders](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders) +- [ADMX_MMCSnapins/MMC_SharedFolders_Ext](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders-ext) +- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-1) +- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-2) +- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-1) +- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-2) +- [ADMX_MMCSnapins/MMC_SysInfo](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysinfo) +- [ADMX_MMCSnapins/MMC_SysProp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysprop) +- [ADMX_MMCSnapins/MMC_TPMManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-tpmmanagement) +- [ADMX_MMCSnapins/MMC_Telephony](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-telephony) +- [ADMX_MMCSnapins/MMC_TerminalServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-terminalservices) +- [ADMX_MMCSnapins/MMC_WMI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wmi) +- [ADMX_MMCSnapins/MMC_WindowsFirewall](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall) +- [ADMX_MMCSnapins/MMC_WindowsFirewall_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall-gp) +- [ADMX_MMCSnapins/MMC_WiredNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirednetworkpolicy) +- [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon) +- [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy) - [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth) - [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources) - [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 5f4bd86d5d..c80a7ea33d 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -292,6 +292,28 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_CipherSuiteOrder policies + +
+
+ ADMX_CipherSuiteOrder/SSLCipherSuiteOrder +
+
+ ADMX_CipherSuiteOrder/SSLCurveOrder +
+
+ +### ADMX_COM policies + +
+
+ ADMX_COM/AppMgmt_COM_SearchForCLSID_1 +
+
+ ADMX_COM/AppMgmt_COM_SearchForCLSID_2 +
+
+ ### ADMX_Cpls policies @@ -599,6 +621,323 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_MMCSnapins policies + +
+
+ ADMX_MMCSnapins/MMC_ADMComputers_1 +
+
+ ADMX_MMCSnapins/MMC_ADMComputers_2 +
+
+ ADMX_MMCSnapins/MMC_ADMUsers_1 +
+
+ ADMX_MMCSnapins/MMC_ADMUsers_2 +
+
+ ADMX_MMCSnapins/MMC_ADSI +
+
+ ADMX_MMCSnapins/MMC_ActiveDirDomTrusts +
+
+ ADMX_MMCSnapins/MMC_ActiveDirSitesServices +
+
+ ADMX_MMCSnapins/MMC_ActiveDirUsersComp +
+
+ ADMX_MMCSnapins/MMC_AppleTalkRouting +
+
+ ADMX_MMCSnapins/MMC_AuthMan +
+
+ ADMX_MMCSnapins/MMC_CertAuth +
+
+ ADMX_MMCSnapins/MMC_CertAuthPolSet +
+
+ ADMX_MMCSnapins/MMC_Certs +
+
+ ADMX_MMCSnapins/MMC_CertsTemplate +
+
+ ADMX_MMCSnapins/MMC_ComponentServices +
+
+ ADMX_MMCSnapins/MMC_ComputerManagement +
+
+ ADMX_MMCSnapins/MMC_ConnectionSharingNAT +
+
+ ADMX_MMCSnapins/MMC_DCOMCFG +
+
+ ADMX_MMCSnapins/MMC_DFS +
+
+ ADMX_MMCSnapins/MMC_DHCPRelayMgmt +
+
+ ADMX_MMCSnapins/MMC_DeviceManager_1 +
+
+ ADMX_MMCSnapins/MMC_DeviceManager_2 +
+
+ ADMX_MMCSnapins/MMC_DiskDefrag +
+
+ ADMX_MMCSnapins/MMC_DiskMgmt +
+
+ ADMX_MMCSnapins/MMC_EnterprisePKI +
+
+ ADMX_MMCSnapins/MMC_EventViewer_1 +
+
+ ADMX_MMCSnapins/MMC_EventViewer_2 +
+
+ ADMX_MMCSnapins/MMC_EventViewer_3 +
+
+ ADMX_MMCSnapins/MMC_EventViewer_4 +
+
+ ADMX_MMCSnapins/MMC_FAXService +
+
+ ADMX_MMCSnapins/MMC_FailoverClusters +
+
+ ADMX_MMCSnapins/MMC_FolderRedirection_1 +
+
+ ADMX_MMCSnapins/MMC_FolderRedirection_2 +
+
+ ADMX_MMCSnapins/MMC_FrontPageExt +
+
+ ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn +
+
+ ADMX_MMCSnapins/MMC_GroupPolicySnapIn +
+
+ ADMX_MMCSnapins/MMC_GroupPolicyTab +
+
+ ADMX_MMCSnapins/MMC_HRA +
+
+ ADMX_MMCSnapins/MMC_IAS +
+
+ ADMX_MMCSnapins/MMC_IASLogging +
+
+ ADMX_MMCSnapins/MMC_IEMaintenance_1 +
+
+ ADMX_MMCSnapins/MMC_IEMaintenance_2 +
+
+ ADMX_MMCSnapins/MMC_IGMPRouting +
+
+ ADMX_MMCSnapins/MMC_IIS +
+
+ ADMX_MMCSnapins/MMC_IPRouting +
+
+ ADMX_MMCSnapins/MMC_IPSecManage_GP +
+
+ ADMX_MMCSnapins/MMC_IPXRIPRouting +
+
+ ADMX_MMCSnapins/MMC_IPXRouting +
+
+ ADMX_MMCSnapins/MMC_IPXSAPRouting +
+
+ ADMX_MMCSnapins/MMC_IndexingService +
+
+ ADMX_MMCSnapins/MMC_IpSecManage +
+
+ ADMX_MMCSnapins/MMC_IpSecMonitor +
+
+ ADMX_MMCSnapins/MMC_LocalUsersGroups +
+
+ ADMX_MMCSnapins/MMC_LogicalMappedDrives +
+
+ ADMX_MMCSnapins/MMC_NPSUI +
+
+ ADMX_MMCSnapins/MMC_NapSnap +
+
+ ADMX_MMCSnapins/MMC_NapSnap_GP +
+
+ ADMX_MMCSnapins/MMC_Net_Framework +
+
+ ADMX_MMCSnapins/MMC_OCSP +
+
+ ADMX_MMCSnapins/MMC_OSPFRouting +
+
+ ADMX_MMCSnapins/MMC_PerfLogsAlerts +
+
+ ADMX_MMCSnapins/MMC_PublicKey +
+
+ ADMX_MMCSnapins/MMC_QoSAdmission +
+
+ ADMX_MMCSnapins/MMC_RAS_DialinUser +
+
+ ADMX_MMCSnapins/MMC_RIPRouting +
+
+ ADMX_MMCSnapins/MMC_RIS +
+
+ ADMX_MMCSnapins/MMC_RRA +
+
+ ADMX_MMCSnapins/MMC_RSM +
+
+ ADMX_MMCSnapins/MMC_RemStore +
+
+ ADMX_MMCSnapins/MMC_RemoteAccess +
+
+ ADMX_MMCSnapins/MMC_RemoteDesktop +
+
+ ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn +
+
+ ADMX_MMCSnapins/MMC_Routing +
+
+ ADMX_MMCSnapins/MMC_SCA +
+
+ ADMX_MMCSnapins/MMC_SMTPProtocol +
+
+ ADMX_MMCSnapins/MMC_SNMP +
+
+ ADMX_MMCSnapins/MMC_ScriptsMachine_1 +
+
+ ADMX_MMCSnapins/MMC_ScriptsMachine_2 +
+
+ ADMX_MMCSnapins/MMC_ScriptsUser_1 +
+
+ ADMX_MMCSnapins/MMC_ScriptsUser_2 +
+
+ ADMX_MMCSnapins/MMC_SecuritySettings_1 +
+
+ ADMX_MMCSnapins/MMC_SecuritySettings_2 +
+
+ ADMX_MMCSnapins/MMC_SecurityTemplates +
+
+ ADMX_MMCSnapins/MMC_SendConsoleMessage +
+
+ ADMX_MMCSnapins/MMC_ServerManager +
+
+ ADMX_MMCSnapins/MMC_ServiceDependencies +
+
+ ADMX_MMCSnapins/MMC_Services +
+
+ ADMX_MMCSnapins/MMC_SharedFolders +
+
+ ADMX_MMCSnapins/MMC_SharedFolders_Ext +
+
+ ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1 +
+
+ ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2 +
+
+ ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1 +
+
+ ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2 +
+
+ ADMX_MMCSnapins/MMC_SysInfo +
+
+ ADMX_MMCSnapins/MMC_SysProp +
+
+ ADMX_MMCSnapins/MMC_TPMManagement +
+
+ ADMX_MMCSnapins/MMC_Telephony +
+
+ ADMX_MMCSnapins/MMC_TerminalServices +
+
+ ADMX_MMCSnapins/MMC_WMI +
+
+ ADMX_MMCSnapins/MMC_WindowsFirewall +
+
+ ADMX_MMCSnapins/MMC_WindowsFirewall_GP +
+
+ ADMX_MMCSnapins/MMC_WiredNetworkPolicy +
+
+ ADMX_MMCSnapins/MMC_WirelessMon +
+
+ ADMX_MMCSnapins/MMC_WirelessNetworkPolicy +
+
+ ### ADMX_MSAPolicy policies
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md deleted file mode 100644 index d1a599cfa9..0000000000 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ /dev/null @@ -1,6796 +0,0 @@ ---- -title: Policy CSP - ADMX_TerminalServer -description: Policy CSP - ADMX_TerminalServer -ms.author: dansimp -ms.localizationpriority: medium -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 10/27/2020 -ms.reviewer: -manager: dansimp ---- - -# Policy CSP - ADMX_TerminalServer -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
- - -## ADMX_TerminalServer policies - -
-
- ADMX_TerminalServer/TS_AUTO_RECONNECT -
-
- ADMX_TerminalServer/TS_CAMERA_REDIRECTION -
-
- ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY -
-
- ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1 -
-
- ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2 -
-
- ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1 -
-
- ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2 -
-
- ADMX_TerminalServer/TS_CLIENT_AUDIO -
-
- ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE -
-
- ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY -
-
- ADMX_TerminalServer/TS_CLIENT_CLIPBOARD -
-
- ADMX_TerminalServer/TS_CLIENT_COM -
-
- ADMX_TerminalServer/TS_CLIENT_DEFAULT_M -
-
- ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE -
-
- ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1 -
-
- ADMX_TerminalServer/TS_CLIENT_LPT -
-
- ADMX_TerminalServer/TS_CLIENT_PNP -
-
- ADMX_TerminalServer/TS_CLIENT_PRINTER -
-
- ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1 -
-
- ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2 -
-
- ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP -
-
- ADMX_TerminalServer/TS_COLORDEPTH -
-
- ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES -
-
- ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER -
-
- ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU -
-
- ADMX_TerminalServer/TS_EASY_PRINT -
-
- ADMX_TerminalServer/TS_EASY_PRINT_User -
-
- ADMX_TerminalServer/TS_EnableVirtualGraphics -
-
- ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE -
-
- ADMX_TerminalServer/TS_FORCIBLE_LOGOFF -
-
- ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD -
-
- ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE -
-
- ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER -
-
- ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY -
-
- ADMX_TerminalServer/TS_KEEP_ALIVE -
-
- ADMX_TerminalServer/TS_LICENSE_SECGROUP -
-
- ADMX_TerminalServer/TS_LICENSE_SERVERS -
-
- ADMX_TerminalServer/TS_LICENSE_TOOLTIP -
-
- ADMX_TerminalServer/TS_LICENSING_MODE -
-
- ADMX_TerminalServer/TS_MAXDISPLAYRES -
-
- ADMX_TerminalServer/TS_MAXMONITOR -
-
- ADMX_TerminalServer/TS_MAX_CON_POLICY -
-
- ADMX_TerminalServer/TS_NoDisconnectMenu -
-
- ADMX_TerminalServer/TS_NoSecurityMenu -
-
- ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP -
-
- ADMX_TerminalServer/TS_PreventLicenseUpgrade -
-
- ADMX_TerminalServer/TS_RADC_DefaultConnection -
-
- ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration -
-
- ADMX_TerminalServer/TS_RemoteControl_1 -
-
- ADMX_TerminalServer/TS_RemoteControl_2 -
-
- ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics -
-
- ADMX_TerminalServer/TS_SD_ClustName -
-
- ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS -
-
- ADMX_TerminalServer/TS_SD_Loc -
-
- ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY -
-
- ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT -
-
- ADMX_TerminalServer/TS_SELECT_TRANSPORT -
-
- ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP -
-
- ADMX_TerminalServer/TS_SERVER_AUTH -
-
- ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED -
-
- ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED -
-
- ADMX_TerminalServer/TS_SERVER_COMPRESSOR -
-
- ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY -
-
- ADMX_TerminalServer/TS_SERVER_LEGACY_RFX -
-
- ADMX_TerminalServer/TS_SERVER_PROFILE -
-
- ADMX_TerminalServer/TS_SERVER_VISEXP -
-
- ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER -
-
- ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1 -
-
- ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 -
-
- ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 -
-
- ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 -
-
- ADMX_TerminalServer/TS_SESSIONS_Limits_1 -
-
- ADMX_TerminalServer/TS_SESSIONS_Limits_2 -
-
- ADMX_TerminalServer/TS_SINGLE_SESSION -
-
- ADMX_TerminalServer/TS_SMART_CARD -
-
- ADMX_TerminalServer/TS_START_PROGRAM_1 -
-
- ADMX_TerminalServer/TS_START_PROGRAM_2 -
-
- ADMX_TerminalServer/TS_Session_End_On_Limit_1 -
-
- ADMX_TerminalServer/TS_Session_End_On_Limit_2 -
-
- ADMX_TerminalServer/TS_TEMP_DELETE -
-
- ADMX_TerminalServer/TS_TEMP_PER_SESSION -
-
- ADMX_TerminalServer/TS_TIME_ZONE -
-
- ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY -
-
- ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP -
-
- ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE -
-
- ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY -
-
- ADMX_TerminalServer/TS_USER_HOME -
-
- ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES -
-
- ADMX_TerminalServer/TS_USER_PROFILES -
-
- - -
- - -**ADMX_TerminalServer/TS_AUTO_RECONNECT** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. - -By default, a maximum of twenty reconnection attempts are made at five second intervals. - -If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. - -If the status is set to Disabled, automatic reconnection of clients is prohibited. - -If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Automatic reconnection* -- GP name: *TS_AUTO_RECONNECT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CAMERA_REDIRECTION** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. - -By default, a maximum of twenty reconnection attempts are made at five second intervals. - -If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. - -If the status is set to Disabled, automatic reconnection of clients is prohibited. - -If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Automatic reconnection* -- GP name: *TS_CAMERA_REDIRECTION* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. - -A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. - -If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. - -If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. - -If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. - -> [!NOTE] -> If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Server authentication certificate template* -- GP name: *TS_CERTIFICATE_TEMPLATE_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). - -If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. - -If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. - -> [!NOTE] -> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Allow .rdp files from valid publishers and user's default .rdp settings* -- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). - -If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. - -If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. - -> [!NOTE] -> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Allow .rdp files from valid publishers and user's default .rdp settings* -- GP name: *TS_CLIENT_ALLOW_SIGNED_FILES_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. - -If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. - -If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Allow .rdp files from unknown publishers* -- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. - -If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. - -If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Allow .rdp files from unknown publishers* -- GP name: *TS_CLIENT_ALLOW_UNSIGNED_FILES_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_AUDIO** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remote Desktop Services session. - -Users can specify where to play the remote computer's audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the audio. Video playback can be configured by using the videoplayback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled. - -By default, audio and video playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. - -If you enable this policy setting, audio and video playback redirection is allowed. - -If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Allow audio and video playback redirection* -- GP name: *TS_CLIENT_AUDIO* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. - -Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can record audio by using an audio input device on the local computer, such as a built-in microphone. - -By default, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. - -If you enable this policy setting, audio recording redirection is allowed. - -If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC. - -If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Allow audio recording redirection* -- GP name: *TS_CLIENT_AUDIO_CAPTURE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. - -If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. - -The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. - -For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used. - -Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic. - -If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Limit audio playback quality* -- GP name: *TS_CLIENT_AUDIO_QUALITY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_CLIPBOARD** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. - -You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. - -If you enable this policy setting, users cannot redirect Clipboard data. - -If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. - -If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow Clipboard redirection* -- GP name: *TS_CLIENT_CLIPBOARD* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_COM** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. - -You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. - -If you enable this policy setting, users cannot redirect server data to the local COM port. - -If you disable this policy setting, Remote Desktop Services always allows COM port redirection. - -If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow COM port redirection* -- GP name: *TS_CLIENT_COM* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_DEFAULT_M** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a session on an RD Session Host server. - -By default, Remote Desktop Services automatically designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to override this behavior. - -If you enable this policy setting, the default printer is the printer specified on the remote computer. If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection. - -If you do not configure this policy setting, the default printer is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not set default client printer to be default printer in a session* -- GP name: *TS_CLIENT_DEFAULT_M* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. - -For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow hardware accelerated decoding* -- GP name: *TS_CLIENT_DISABLE_HARDWARE_MODE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. Controls whether a user can save passwords using Remote Desktop Connection. - -If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. - -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow passwords to be saved* -- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_LPT** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. - -You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection. - -If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. - -If you disable this policy setting, LPT port redirection is always allowed. - -If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow LPT port redirection* -- GP name: *TS_CLIENT_LPT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_PNP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. - -By default, Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices. - -If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. - -If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. - -> [!NOTE] -> You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow supported Plug and Play device redirection* -- GP name: *TS_CLIENT_PNP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_PRINTER** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. - -If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. - -If you disable this policy setting, users can redirect print jobs with client printer mapping. - -If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow client printer redirection* -- GP name: *TS_CLIENT_PRINTER* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. - -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. - -> [!NOTE] -> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. -> -> This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that is not a certificate thumbprint, it is ignored. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* -- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. - -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. - -If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. - -> [!NOTE] -> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. -> -> This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that is not a certificate thumbprint, it is ignored. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Specify SHA1 thumbprints of certificates representing trusted .rdp publishers* -- GP name: *TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. - -If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. - -If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Turn Off UDP On Client* -- GP name: *TS_CLIENT_TURN_OFF_UDP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_COLORDEPTH** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections. - -You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load. - -If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used. - -If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level. - -> [!NOTE] -> - Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. -> - The value specified in this policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. -> - For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: -> -> - Value specified by this policy setting. -> - Maximum color depth supported by the client. -> - Value requested by the client If the client does not support at least 16 bits, the connection is terminated. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Limit maximum color depth* -- GP name: *TS_COLORDEPTH* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. - -This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. - -> [!NOTE] -> If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles. - -If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. - -If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Limit the size of the entire roaming user profile cache* -- GP name: *TS_DELETE_ROAMING_USER_PROFILES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether desktop wallpaper is displayed to clients when they are connected to a remote server using RDP. - -You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. - -If you enable this policy setting, wallpaper is not displayed in a Remote Desktop Services session. - -If you disable this policy setting, wallpaper is displayed in a Remote Desktop Services session, depending on the client configuration. - -If you do not configure this policy setting, Windows Vista displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2008 do not display wallpaper by default to Remote Desktop Services sessions. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Remove remote desktop wallpaper* -- GP name: *TS_DISABLE_REMOTE_DESKTOP_WALLPAPER* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions. If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter. - -If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter. - -If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. - -> [!NOTE] -> The policy setting affects only the default graphics processing unit (GPU) on a computer with more than one GPU installed. All additional GPUs are considered secondary adapters and used as hardware renderers. The GPU configuration of the local session is not affected by this policy setting. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use the hardware default graphics adapter for all Remote Desktop Services sessions* -- GP name: *TS_DX_USE_FULL_HWGPU* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_EASY_PRINT** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. - -If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. - -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. - -> [!NOTE] -> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use Remote Desktop Easy Print printer driver first* -- GP name: *TS_EASY_PRINT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_EASY_PRINT_User** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. - -If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. - -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. - -> [!NOTE] -> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use Remote Desktop Easy Print printer driver first* -- GP name: *TS_EASY_PRINT_User* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_EnableVirtualGraphics** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. - -When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. - -When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. - -If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. - -If you disable this policy setting, RemoteFX will be disabled. - -If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure RemoteFX* -- GP name: *TS_EnableVirtualGraphics* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. - -By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. - -If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are: - -- "Do nothing if one is not found" - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior. -- "Default to PCL if one is not found" - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback printer driver. -- "Default to PS if one is not found" - If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver. -- "Show both PCL and PS if one is not found" - If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. - -If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver. - -If you do not configure this policy setting, the fallback printer driver behavior is off by default. - -> [!NOTE] -> If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Specify RD Session Host server fallback printer driver behavior* -- GP name: *TS_FALLBACKPRINTDRIVERTYPE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_FORCIBLE_LOGOFF** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. - -This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. - -If you enable this policy setting, logging off the connected administrator is not allowed. - -If you disable or do not configure this policy setting, logging off the connected administrator is allowed. - -> [!NOTE] -> The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Deny logoff of an administrator logged in to the console session* -- GP name: *TS_FORCIBLE_LOGOFF* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - -To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. - -If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set RD Gateway authentication method* -- GP name: *TS_GATEWAY_POLICY_AUTH_METHOD* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. - -You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - -> [!NOTE] -> To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. - -To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. - -If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Enable connection through RD Gateway* -- GP name: *TS_GATEWAY_POLICY_ENABLE* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. - -> [!NOTE] -> It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. - -To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. - -> [!NOTE] -> If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set RD Gateway server address* -- GP name: *TS_GATEWAY_POLICY_SERVER* -- GP path: *Windows Components\Remote Desktop Services\RD Gateway* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role service must be installed on the server. - -If the policy setting is enabled, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting. If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. - -If the policy setting is not configured, the policy setting is not specified at the Group Policy level. - -> [!NOTE] -> - If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. -> - For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Join RD Connection Broker* -- GP name: *TS_JOIN_SESSION_DIRECTORY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_KEEP_ALIVE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent with the client state. - -After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. - -If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. - -If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure keep-alive connection interval* -- GP name: *TS_KEEP_ALIVE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_LICENSE_SECGROUP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remote Desktop Services client access licenses (RDS CALs). - -You can use this policy setting to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default, a license server issues an RDS CAL to any RD Session Host server that requests one. - -If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. By default, the RDS Endpoint Servers group is empty. - -If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting. - -> [!NOTE] -> You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *License server security group* -- GP name: *TS_LICENSE_SECGROUP* -- GP path: *Windows Components\Remote Desktop Services\RD Licensing* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_LICENSE_SERVERS** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers. - -If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: - -1. Remote Desktop license servers that are published in Active Directory Domain Services. -2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server. - -If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use the specified Remote Desktop license servers* -- GP name: *TS_LICENSE_SERVERS* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_LICENSE_TOOLTIP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with RD Licensing that affect the RD Session Host server. - -By default, notifications are displayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. - -If you enable this policy setting, these notifications will not be displayed on the RD Session Host server. - -If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Hide notifications about RD Licensing problems that affect the RD Session Host server* -- GP name: *TS_LICENSE_TOOLTIP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_LICENSING_MODE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to connect to this RD Session Host server. - -You can use this policy setting to select one of two licensing modes: Per User or Per Device. Per User licensing mode requires that each user account connecting to this RD Session Host server have an RDS Per User CAL. - -Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL. - -If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server. - -If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set the Remote Desktop licensing mode* -- GP name: *TS_LICENSING_MODE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_MAXDISPLAYRES** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly over slow links, and reduce server load. - -If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session. - -If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Limit maximum display resolution* -- GP name: *TS_MAXDISPLAYRES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_MAXMONITOR** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance, particularly over slow links, and reduce server load. - -If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. - -If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Limit number of monitors* -- GP name: *TS_MAXMONITOR* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_MAX_CON_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. - -You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, addtional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions. - -To use this setting, enter the number of connections you want to specify as the maximum for the server. To specify an unlimited number of connections, type 999999. - -If the status is set to Enabled, the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode of Remote Desktop Services running on the server. - -If the status is set to Disabled or Not Configured, limits to the number of connections are not enforced at the Group Policy level. - -> [!NOTE] -> This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Limit number of connections* -- GP name: *TS_MAX_CON_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_NoDisconnectMenu** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services sessions. - -You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box. - -If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box. - -> [!NOTE] -> This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Remove "Disconnect" option from Shut Down dialog* -- GP name: *TS_NoDisconnectMenu* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_NoSecurityMenu** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. - -If the status is set to Enabled, Windows Security does not appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer. - -If the status is set to Disabled or Not Configured, Windows Security remains in the Settings menu. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Remove Windows Security item from Start menu* -- GP name: *TS_NoSecurityMenu* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. - -If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials. - -> [!NOTE] -> If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. - -If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. - -For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Prompt for credentials on the client computer* -- GP name: *TS_PROMT_CREDS_CLIENT_COMP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_PreventLicenseUpgrade** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-based operating systems. - -A license server attempts to provide the most appropriate RDS or TS CAL for a connection. For example, a Windows Server 2008 license server will try to issue a Windows Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 2008, and will try to issue a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003. - -By default, if the most appropriate RDS CAL is not available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following: - -- A client connecting to a Windows Server 2003 terminal server -- A client connecting to a Windows 2000 terminal server - -If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired. - -If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Prevent license upgrade* -- GP name: *TS_PreventLicenseUpgrade* -- GP path: *Windows Components\Remote Desktop Services\RD Licensing* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_RADC_DefaultConnection** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. - -The default connection URL must be configured in the form of http://contoso.com/rdweb/Feed/webfeed.aspx. - -If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. - -If you disable or do not configure this policy setting, the user has no default connection URL. - -> [!NOTE] -> RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Specify default connection URL* -- GP name: *TS_RADC_DefaultConnection* -- GP path: *Windows Components\Remote Desktop Services\RemoteApp and Desktop Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. - -If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. - -If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Suspend user sign-in to complete app registration* -- GP name: *TS_RDSAppX_WaitForRegistration* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_RemoteControl_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. - -Select the desired level of control and permission from the options list: - -1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. -2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. -3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. -4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. -5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. - -If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set rules for remote control of Remote Desktop Services user sessions* -- GP name: *TS_RemoteControl_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_RemoteControl_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. - -Select the desired level of control and permission from the options list: - -1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session. -2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent. -3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent. -4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent. -5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent. - -If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set rules for remote control of Remote Desktop Services user sessions* -- GP name: *TS_RemoteControl_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. - -Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). - -If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. - -By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Optimize visual experience when using RemoteFX* -- GP name: *TS_RemoteDesktopVirtualGraphics* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SD_ClustName** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services. - -If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. - -If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. - -> [!NOTE] -> - This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. ->- For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure RD Connection Broker farm name* -- GP name: *TS_SD_ClustName* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server. - -If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. - -If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. - -If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. - -> [!NOTE] -> For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use IP Address Redirection* -- GP name: *TS_SD_EXPOSE_ADDRESS* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SD_Loc** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server. - -If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. - -If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. - -> [!NOTE] -> - For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. -> - This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. -> - To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure RD Connection Broker server name* -- GP name: *TS_SD_Loc* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. - -If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available: - -- Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -- RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -- SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. - -If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Require use of specific security layer for remote (RDP) connections* -- GP name: *TS_SECURITY_LAYER_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). You can choose to disable Connect Time Detect, Continuous Network Detect, or both Connect Time Detect and Continuous Network Detect. - -If you disable Connect Time Detect, Remote Desktop Protocol will not determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. - -If you disable Continuous Network Detect, Remote Desktop Protocol will not try to adapt the remote user experience to varying network quality. - -If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality. - -If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Select network detection on the server* -- GP name: *TS_SELECT_NETWORK_DETECT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SELECT_TRANSPORT** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server. - -If you enable this policy setting, you must specify if you would like RDP to use UDP. You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)". If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. - -If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP. - -If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Select RDP transport protocols* -- GP name: *TS_SELECT_TRANSPORT* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. - -If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. - -If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use advanced RemoteFX graphics for RemoteApp* -- GP name: *TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_AUTH** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. - -If you enable this policy setting, you must specify one of the following settings: -- Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. -- Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. -- Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. - -If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure server authentication for client* -- GP name: *TS_SERVER_AUTH* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections* -- GP name: *TS_SERVER_AVC444_MODE_PREFERRED* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you disable or do not configure this policy, we will always use software encoding. - -If you set the encoding option to “Always Attempt”, Remote Desktop will always try to use H.264/AVC hardware encoding when available, be aware that, for Windows Server running Hyper-V with RemoteFX vGPU enabled, the policy has to be set on the Hyper-V host machine. - -If you set the encoding option to “Attempt only for RemoteFX vGPU virtual machines” be aware that, for Windows Server running Hyper-V with RemoteFX vGPU enabled, the policy has to be set on the Hyper-V host machine. - -If you set the encoding option to “Attempt only for non-RemoteFX vGPU scenarios”, Remote Desktop attempts to use hardware encoding for all scenarios except RemoteFX vGPU. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure H.264/AVC hardware encoding for Remote Desktop Connections* -- GP name: *TS_SERVER_AVC_HW_ENCODE_PREFERRED* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_COMPRESSOR** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. - -By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. - -If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. - -You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. - -If you disable or do not configure this policy setting, the default RDP compression algorithm will be used. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure compression for RemoteFX data* -- GP name: *TS_SERVER_COMPRESSOR* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered. - -If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes. - -If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. - -If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. - -If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. - -If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure image quality for RemoteFX Adaptive Graphics* -- GP name: *TS_SERVER_IMAGE_QUALITY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_LEGACY_RFX** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server. - -When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user experience by rendering content on the server by using graphics processing units (GPUs). By default, RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1. - -When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme. - -If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. - -If you disable this policy setting, RemoteFX will be disabled. - -If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure RemoteFX* -- GP name: *TS_SERVER_LEGACY_RFX* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_PROFILE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. - -If you enable this policy setting, the RemoteFX experience could be set to one of the following options: -1. Let the system choose the experience for the network condition -2. Optimize for server scalability -3. Optimize for minimum bandwidth usage - -If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Configure RemoteFX Adaptive Graphics* -- GP name: *TS_SERVER_PROFILE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_VISEXP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience. - -By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation. - -If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text. - -If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Optimize visual experience for Remote Desktop Service Sessions* -- GP name: *TS_SERVER_VISEXP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for Windows Server 2008 R2* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections* -- GP name: *TS_SERVER_WDDM_GRAPHICS_DRIVER* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. - -You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. - -If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. - -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. - -> [!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set time limit for disconnected sessions* -- GP name: *TS_SESSIONS_Disconnected_Timeout_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. - -You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. - -If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. - -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. - -> [!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set time limit for disconnected sessions* -- GP name: *TS_SESSIONS_Disconnected_Timeout_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. - -If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. - -If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. - -If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. - -> [!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set time limit for active but idle Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Idle_Limit_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. - -If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. - -If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. - -If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. - -> [!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set time limit for active but idle Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Idle_Limit_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SESSIONS_Limits_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. - -If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. - -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. - -If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. - -> [!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set time limit for active Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Limits_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SESSIONS_Limits_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. - -If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. - -If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. - -If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. - -> [!NOTE] -> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set time limit for active Remote Desktop Services sessions* -- GP name: *TS_SESSIONS_Limits_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SINGLE_SESSION** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict users to a single Remote Desktop Services session. - -If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. - -If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. - -If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Restrict Remote Desktop Services users to a single Remote Desktop Services session* -- GP name: *TS_SINGLE_SESSION* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_SMART_CARD** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. - -If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. - -If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. - -> [!NOTE] -> The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow smart card device redirection* -- GP name: *TS_SMART_CARD* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_START_PROGRAM_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. Configures Remote Desktop Services to run a specified program automatically upon connection. - -You can use this setting to specify a program to run automatically when a user logs on to a remote computer. - -By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. - -To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. - -If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. - -If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) - -> [!NOTE] -> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Start a program on connection* -- GP name: *TS_START_PROGRAM_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_START_PROGRAM_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. Configures Remote Desktop Services to run a specified program automatically upon connection. - -You can use this setting to specify a program to run automatically when a user logs on to a remote computer. - -By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. - -To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. - -If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. - -If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) - -> [!NOTE] -> This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Start a program on connection* -- GP name: *TS_START_PROGRAM_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_Session_End_On_Limit_1** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. - -You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. - -Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. - -If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. - -If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. - -> [!NOTE] -> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *End session when time limits are reached* -- GP name: *TS_Session_End_On_Limit_1* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_Session_End_On_Limit_2** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. - -You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default, Remote Desktop Services disconnects sessions that reach their time limits. - -Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings. - -If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. - -If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. - -> [!NOTE] -> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *End session when time limits are reached* -- GP name: *TS_Session_End_On_Limit_2* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_TEMP_DELETE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. - -You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user logs off. - -If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session. - -If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise. - -If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator. - -> [!NOTE] -> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not delete temp folders upon exit* -- GP name: *TS_TEMP_DELETE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_TEMP_PER_SESSION** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. - -You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid. - -If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. - -If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. - -If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not use temporary folders per session* -- GP name: *TS_TEMP_PER_SESSION* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_TIME_ZONE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. - -If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). - -If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. - -> [!NOTE] -> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Allow time zone redirection* -- GP name: *TS_TIME_ZONE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. - -You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. - -If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. - -If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. - -> [!NOTE] -> The preferred method of managing user access is by adding a user to the Remote Desktop Users group. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow local administrators to customize permissions* -- GP name: *TS_TSCC_PERMISSIONS_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy. - -If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings. - -If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. - -> [!NOTE] -> If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Always show desktop on connection* -- GP name: *TS_TURNOFF_SINGLEAPP* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. - -If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. - -If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. - -For this change to take effect, you must restart Windows. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Allow RDP redirection of other supported RemoteFX USB devices from this computer* -- GP name: *TS_USB_REDIRECTION_DISABLE* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirection* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. - -If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. - -To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. - -If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. - -If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. - -> [!IMPORTANT] -> Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Require user authentication for remote connections by using Network Level Authentication* -- GP name: *TS_USER_AUTHENTICATION_POLICY* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_USER_HOME** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. Specifies whether Remote Desktop Services uses the specified network share or local directory path as the root of the user's home directory for a Remote Desktop Services session. - -To use this setting, select the location for the home directory (network or local) from the Location drop-down list. If you choose to place the directory on a network share, type the Home Dir Root Path in the form \\Computername\Sharename, and then select the drive letter to which you want the network share to be mapped. - -If you choose to keep the home directory on the local computer, type the Home Dir Root Path in the form "Drive:\Path" (without quotes), without environment variables or ellipses. Do not specify a placeholder for user alias, because Remote Desktop Services automatically appends this at logon. - -> [!NOTE] -> The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path, Remote Desktop Services places user home directories in the network location. - -If the status is set to Enabled, Remote Desktop Services creates the user's home directory in the specified location on the local computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias. - -If the status is set to Disabled or Not Configured, the user's home directory is as specified at the server. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set Remote Desktop Services User Home Directory* -- GP name: *TS_USER_HOME* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server. - -If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile. - -If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server. - -> [!NOTE] -> For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use mandatory profiles on the RD Session Host server* -- GP name: *TS_USER_MANDATORY_PROFILES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* - - - -
- - -**ADMX_TerminalServer/TS_USER_PROFILES** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. - -By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. - -If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. - -To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. - -If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. - -> [!NOTE] -> - The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session. -> - To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set path for Remote Desktop Services Roaming User Profile* -- GP name: *TS_USER_PROFILES* -- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles* -- GP ADMX file name: *TerminalServer.admx* - - - -
- -Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - - - From 8c7c0ceebe14d6806447e81f0bad4c8f7c4b444f Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 6 Nov 2020 11:59:14 -0800 Subject: [PATCH 19/37] Fixed Acrolinx issues --- .../mdm/policy-csp-admx-networkconnections.md | 2 +- .../mdm/policy-csp-admx-powershellexecutionpolicy.md | 2 +- .../mdm/policy-csp-admx-windowsexplorer.md | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index c9677897bc..b2d54403e7 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -628,7 +628,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled. The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features. diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index fc764bfaf5..7113d20ba1 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -163,7 +163,7 @@ Available in the latest Windows 10 Insider Preview Build. This policy setting le If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher. -The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy setting allows all scripts to run. +The "Allow local scripts and remote signed scripts" policy setting allows any local scripts to run; scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy setting allows all scripts to run. If you disable this policy setting, no scripts are allowed to run. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index da00432094..c293e80086 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -2204,7 +2204,7 @@ If you do not configure this policy setting, users can perform OpenSearch querie ADMX Info: - GP English name: *Allow OpenSearch queries in File Explorer* - GP name: *IZ_Policy_OpenSearchQuery_IntranetLockdown* -- GP path: *WWindows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* +- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone* - GP ADMX file name: *WindowsExplorer.admx* @@ -3407,7 +3407,7 @@ If you disable this setting or do not configure it, the "File name" field includ This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. -To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. +To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open. > [!NOTE] > In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. @@ -3965,7 +3965,7 @@ ADMX Info: Available in the latest Windows 10 Insider Preview Build. Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs. -To see an example of the standard Open dialog box, start Wordpad and, on the File menu, click Open. +To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open. > [!NOTE] > In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. @@ -4037,7 +4037,7 @@ Available in the latest Windows 10 Insider Preview Build. When a file or folder If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted. -If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recyele Bin. +If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin. > [!TIP] From 3cf68d613a4b5fb7ddc8dff12408fd9ad8cf0763 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:08:05 -0800 Subject: [PATCH 20/37] Update exploit-protection-reference.md --- .../exploit-protection-reference.md | 124 +++++++++--------- 1 file changed, 62 insertions(+), 62 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 8776de4b02..8e0b432b66 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -1,7 +1,7 @@ --- -title: Exploit Protection Reference +title: Exploit protection reference keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet -description: Details on how the Exploit Protection feature works in Windows 10 +description: Details on how the exploit protection feature works in Windows 10 search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -26,9 +26,9 @@ ms.custom: asr - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Exploit Protection provides advanced protections for applications which the IT Pro can apply after the developer has compiled and distributed the software. +Exploit protection provides advanced protections for applications that the IT Pro can apply after the developer has compiled and distributed the software. -This article helps you understand how Exploit Protection works, both at the policy level and at the individual mitigation level, to help you successfully build and apply Exploit Protection policies. +This article helps you understand how exploit protection works, both at the policy level and at the individual mitigation level, to help you successfully build and apply Exploit Protection policies. ## How mitigations are applied @@ -39,11 +39,11 @@ Mitigations are configured via a registry entry for each program that you config > [!IMPORTANT] > Image File Execution Options only allows you to specify a file name or path, and not a version number, architecture, or any other differentiator. Be careful to target mitigations to apps which have unique names or paths, applying them only on devices where you have tested that version and that architecture of the application. -If you configure Exploit Protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you. +If you configure exploit protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you. When the policy distributing the XML file is no longer enforced, settings deployed by this XML configuration file will not be automatically removed. To remove Exploit Protection settings, export the XML configuration from a clean Windows 10 device, and deploy this new XML file. Alternately, Microsoft provides an XML file as part of the Windows Security Baselines for resetting Exploit Protection settings. -To reset Exploit Protection settings using PowerShell, you could use the following command: +To reset exploit protection settings using PowerShell, you could use the following command: ```powershell Set-ProcessMitigation -PolicyFilePath EP-reset.xml @@ -181,21 +181,21 @@ Following is the EP-reset.xml distributed with the Windows Security Baselines: ## Mitigation Reference -The below sections detail the protections provided by each Exploit Protection mitigation, the compatibility considerations for the mitigation, and the configuration options available. +The following sections detail the protections provided by each exploit protection mitigation, the compatibility considerations for the mitigation, and the configuration options available. ## Arbitrary code guard ### Description -Arbitrary Code Guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code. +Arbitrary code guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code. -Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). +Arbitrary code guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary code guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). -By preventing the *execute* flag from being set, the Data Execution Prevention feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. +By preventing the *execute* flag from being set, the data execution prevention feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. ### Compatibility considerations -Arbitrary Code Guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern browsers, for example, will compile JavaScript into native code in order to optimize performance. In order to support this mitigation, they will need to be rearchitected to move the JIT compilation outside of the protected process. Other applications whose design dynamically generates code from scripts or other intermediate languages will be similarly incompatible with this mitigation. +Arbitrary code guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern browsers, for example, will compile JavaScript into native code in order to optimize performance. In order to support this mitigation, they will need to be rearchitected to move the JIT compilation outside of the protected process. Other applications whose design dynamically generates code from scripts or other intermediate languages will be similarly incompatible with this mitigation. ### Configuration options @@ -207,23 +207,23 @@ Arbitrary Code Guard prevents allocating any memory as executable, which present ### Description -Block low integrity images prevents the application from loading files which are untrusted, typically because they have been downloaded from the internet from a sandboxed browser. +Block low integrity images prevents the application from loading files that are untrusted, typically because they have been downloaded from the internet from a sandboxed browser. This mitigation will block image loads if the image has an Access Control Entry (ACE) which grants access to Low IL processes and which does not have a trust label ACE. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a low integrity image, it will trigger a STATUS_ACCESS_DENIED error. For details on how integrity levels work, see [Mandatory Integrity Control](https://docs.microsoft.com/windows/win32/secauthz/mandatory-integrity-control). ### Compatibility considerations -Block low integrity images will prevent the application from loading files which were downloaded from the internet. If your application workflow requires loading images which are downloaded, you will want to ensure that they are downloaded from a higher-trust process, or are explicitly relabeled in order to apply this mitigation. +Block low integrity images will prevent the application from loading files that were downloaded from the internet. If your application workflow requires loading images that are downloaded, you will want to ensure that they are downloaded from a higher-trust process, or are explicitly relabeled in order to apply this mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Block remote images ### Description -Block remote images will prevent the application from loading files which are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory which are on an external device controlled by the attacker. +Block remote images will prevent the application from loading files that are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory that are on an external device controlled by the attacker. This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error. @@ -233,25 +233,25 @@ Block remote images will prevent the application from loading images from remote ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Block untrusted fonts ### Description -Block untrusted fonts mitigates the risk of a flaw in font parsing leading to the attacker being able to run code on the device. Only fonts which are installed into the windows\fonts directory will be loaded for processing by GDI. +Block untrusted fonts mitigates the risk of a flaw in font parsing leading to the attacker being able to run code on the device. Only fonts that are installed into the windows\fonts directory will be loaded for processing by GDI. This mitigation is implemented within GDI, which validates the location of the file. If the file is not in the system fonts directory, the font will not be loaded for parsing and that call will fail. -Note that this mitigation is in addition to the built-in mitigation provided in Windows 10 1607 and later, which moves font parsing out of the kernel and into a user-mode app container. Any exploit based on font parsing, as a result, happens in a sandboxed and isolated context, which reduces the risk significantly. For details on this mitigation, see the blog [Hardening Windows 10 with zero-day exploit mitigations](https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/). +This mitigation is in addition to the built-in mitigation provided in Windows 10 1607 and later, which moves font parsing out of the kernel and into a user-mode app container. Any exploit based on font parsing, as a result, happens in a sandboxed and isolated context, which reduces the risk significantly. For details on this mitigation, see the blog [Hardening Windows 10 with zero-day exploit mitigations](https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/). ### Compatibility considerations -The most common use of fonts outside of the system fonts directory is with [web fonts](https://docs.microsoft.com/typography/fonts/font-faq#web). Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and are not impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the new Microsoft Edge) can be impacted, particularly with applications such as Office 365 which use font glyphs to display UI. +The most common use of fonts outside of the system fonts directory is with [web fonts](https://docs.microsoft.com/typography/fonts/font-faq#web). Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and are not impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the new Microsoft Edge) can be impacted, particularly with applications such as Office 365, which use font glyphs to display UI. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Code integrity guard @@ -259,17 +259,17 @@ The most common use of fonts outside of the system fonts directory is with [web Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process. -This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary which is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process. +This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process. ### Compatibility considerations -This mitigation specifically blocks any binary which is not signed by Microsoft. As such, it will be incompatible with most third party software, unless that software is distributed by (and digitally signed by) the Microsoft Store, and the option to allow loading of images signed by the Microsoft Store is selected. +This mitigation specifically blocks any binary that is not signed by Microsoft. As such, it will be incompatible with most third-party software, unless that software is distributed by (and digitally signed by) the Microsoft Store, and the option to allow loading of images signed by the Microsoft Store is selected. ### Configuration options -**Also allow loading of images signed by Microsoft Store** - Applications which are distributed by the Microsoft Store will be digitally signed by the Microsoft Store, and adding this configuration will allow binaries which have gone through the store certification process to be loaded by the application. +**Also allow loading of images signed by Microsoft Store** - Applications that are distributed by the Microsoft Store will be digitally signed by the Microsoft Store, and adding this configuration will allow binaries that have gone through the store certification process to be loaded by the application. -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Control flow guard (CFG) @@ -277,7 +277,7 @@ This mitigation specifically blocks any binary which is not signed by Microsoft. Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). -This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications which are compiled with CFG support can benefit from this mitigation. +This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation. The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation. @@ -296,19 +296,19 @@ Since applications must be compiled to support CFG, they implicitly declare thei ### Description -Data Execution Prevention (DEP) prevents memory which was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. +Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash. ### Compatibility considerations -All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is generally assumed. +All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed. -All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some very old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (e.g. JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. +All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. ### Configuration options -**Enable ATL Thunk emulation** - This configuration option disables ATL Thunk emulation. ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In order to reduce binary size, it would use a technique called thunking. Thunking is typically thought of for interacting between 32-bit and 16-bit applications, but there are no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL will store machine code in memory which is not word-aligned (creating a smaller binary), and then invoke that code directly. ATL components compiled with Visual Studio 7.1 or earlier (Visual Studio 2003) do not allocate this memory as executable - thunk emulation resolves that compatibility issue. Applications which have a binary extension model (such as Internet Explorer 11) will often need to have ATL Thunk emulation enabled. +**Enable ATL Thunk emulation** - This configuration option disables ATL Thunk emulation. ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In order to reduce binary size, it would use a technique called *thunking*. Thunking is typically thought of for interacting between 32-bit and 16-bit applications, but there are no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL will store machine code in memory that is not word-aligned (creating a smaller binary), and then invoke that code directly. ATL components compiled with Visual Studio 7.1 or earlier (Visual Studio 2003) do not allocate this memory as executable - thunk emulation resolves that compatibility issue. Applications that have a binary extension model (such as Internet Explorer 11) will often need to have ATL Thunk emulation enabled. ## Disable extension points @@ -318,13 +318,13 @@ This mitigation disables various extension points for an application, which migh This includes: -- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Note that, beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/windows/win32/dlls/secure-boot-and-appinit-dlls). +- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/windows/win32/dlls/secure-boot-and-appinit-dlls). - **Legacy IMEs** - An Input Method Editor (IME) allows a user to type text in a language that has more characters than can be represented on a keyboard. Third parties are able to create IMEs. A malicious IME might obtain credentials or other sensitive information from this input capture. Some IMEs, referred to as Legacy IMEs, will only work on Windows Desktop apps, and not UWP apps. This mitigation will also prevent this legacy IME from loading into the specified Windows Desktop app. - **Windows Event Hooks** - An application can call the [SetWinEventHook API](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-setwineventhook) to register interest in an event taking place. A DLL is specified and can be injected into the process. This mitigation forces the hook to be posted to the registering process rather than running in-process through an injected DLL. ### Compatibility considerations -Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using 3rd party Legacy IMEs which will not work with the protected application. +Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application. ### Configuration options @@ -341,11 +341,11 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com ### Compatibility considerations -This mitigation is designed for processes which are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application which displays a GUI using a single process will be impacted by this mitigation. +This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Do not allow child processes @@ -355,23 +355,23 @@ This mitigation prevents an application from creating new child applications. A ### Compatibility considerations -If your application launches child applications for any reason, such as supporting hyperlinks which launch a browser or an external browser, or which launch other utilities on the computer, this functionality will be broken with this mitigation applied. +If your application launches child applications for any reason, such as supporting hyperlinks that launch a browser or an external browser, or which launch other utilities on the computer, this functionality will be broken with this mitigation applied. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Export address filtering ### Description -Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects 3 commonly attacked modules: +Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects three commonly attacked modules: - ntdll.dll - kernelbase.dll - kernel32.dll -The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. +The mitigation protects the memory page in the [export directory that points to the [export address table](https://docs.microsoft.com/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. ### Compatibility considerations @@ -394,7 +394,7 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory. -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Force randomization for images (Mandatory ASLR) @@ -408,11 +408,11 @@ When the memory manager is mapping in the image into the process, Mandatory ASLR ### Compatibility considerations -This compatibility impact of ASLR is typically constrained to older applications which were built using compilers which made assumptions about the base address of a binary file or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory. +This compatibility impact of ASLR is typically constrained to older applications that were built using compilers that made assumptions about the base address of a binary file or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory. ### Configuration options -**Do not allow stripped images** - This option blocks the loading of images that have had relocation information stripped. The Windows PE file format contains absolute addresses, and the compiler also generates a [base relocation table](https://docs.microsoft.com/windows/win32/debug/pe-format#the-reloc-section-image-only) which the loader can use to find all relative memory references and their offset, so they can be updated if the binary does not load at its preferred base address. Some older applications strip out this information in production builds, and therefore these binaries cannot be rebased. This mitigation blocks such binaries from being loaded (instead of allowing them to load at their preferred base address). +**Do not allow stripped images** - This option blocks the loading of images that have had relocation information stripped. The Windows PE file format contains absolute addresses, and the compiler also generates a [base relocation table that the loader can use to find all relative memory references and their offset, so they can be updated if the binary does not load at its preferred base address. Some older applications strip out this information in production builds, and therefore these binaries cannot be rebased. This mitigation blocks such binaries from being loaded (instead of allowing them to load at their preferred base address). > [!Note] > **Force randomization for images (Mandatory ASLR)** has no audit mode. @@ -421,7 +421,7 @@ This compatibility impact of ASLR is typically constrained to older applications ### Description -The Import address filtering (IAF) mitigation helps mitigate the risk of an adversary changing the control flow of an application by modifying the import address table (IAT) to redirect to arbitrary code of the attacker's choice when that function is called. An attacker could use this approach to hijack control, or to intercept, inspect, and potentially block calls to sensitive APIs. +The import address filtering (IAF) mitigation helps mitigate the risk of an adversary changing the control flow of an application by modifying the import address table (IAT) to redirect to arbitrary code of the attacker's choice when that function is called. An attacker could use this approach to hijack control, or to intercept, inspect, and potentially block calls to sensitive APIs. The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to them. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. @@ -455,11 +455,11 @@ This mitigation protects the following Windows APIs: ### Compatibility considerations -Legitimate applications which perform API interception may be detected by this mitigation and cause some applications to crash. Examples include security software and application compatibility shims. +Legitimate applications that perform API interception may be detected by this mitigation and cause some applications to crash. Examples include security software and application compatibility shims. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Randomize memory allocations (Bottom-up ASLR) @@ -467,15 +467,15 @@ Legitimate applications which perform API interception may be detected by this m Randomize memory allocations (Bottom-up ASLR) adds entropy to relocations, so their location is randomized and therefore less predictable. This mitigation requires Mandatory ASLR to take effect. -Note that the size of the 32-bit address space places practical constraints on the entropy that can be added, and therefore 64-bit applications make it significantly more difficult for an attacker to guess a location in memory. +The size of the 32-bit address space places practical constraints on the entropy that can be added, and therefore 64-bit applications make it more difficult for an attacker to guess a location in memory. ### Compatibility considerations -Most applications which are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4GB), and thus will be incompatible with the high entropy option (which can be disabled). +Most applications that are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled). ### Configuration options -**Don't use high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1TB of variance) into the bottom-up allocation for 64-bit applications. +**Don't use high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1 TB of variance) into the bottom-up allocation for 64-bit applications. > [!Note] > **Randomize memory allocations (Bottom-up ASLR)** has no audit mode. @@ -484,7 +484,7 @@ Most applications which are compatible with Mandatory ASLR (rebasing) will also ### Description -Simulate execution (SimExec) is a mitigation for 32-bit applications only which helps validate that calls to sensitive APIs will return to legitimate caller functions. It does this by intercepting calls into sensitive APIs, and then simulating the execution of those APIs by walking through the encoded assembly language instructions looking for the RET instruction, which should return to the caller. It then inspects that function and walks backwards in memory to find the preceding CALL instruction to compare if the two match and that the RET hasn't been intercepted. +Simulate execution (SimExec) is a mitigation for 32-bit applications only. This helps validate that calls to sensitive APIs will return to legitimate caller functions. It does this by intercepting calls into sensitive APIs, and then simulating the execution of those APIs by walking through the encoded assembly language instructions looking for the RET instruction, which should return to the caller. It then inspects that function and walks backwards in memory to find the preceding CALL instruction to determine whether the function and CALL instruction match, and that the RET hasn't been intercepted. The APIs intercepted by this mitigation are: @@ -527,19 +527,19 @@ If a ROP gadget is detected, the process is terminated. ### Compatibility considerations -Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation. +Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation. This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Validate API invocation (CallerCheck) ### Description -Validate API invocation (CallerCheck) is a mitigation for return oriented programming (ROP) techniques which validates that sensitive APIs were called from a valid caller. This mitigation inspects the passed return address, and then heuristically disassembles backwards to find a call above the return address to determine if the call target matches the parameter passed into the function. +Validate API invocation (CallerCheck) is a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller. This mitigation inspects the passed return address, and then heuristically disassembles backwards to find a call above the return address to determine if the call target matches the parameter passed into the function. The APIs intercepted by this mitigation are: @@ -582,19 +582,19 @@ If a ROP gadget is detected, the process is terminated. ### Compatibility considerations -Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation. +Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation. This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Validate exception chains (SEHOP) ### Description -Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured Exception Handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. +Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that: @@ -619,13 +619,13 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic ### Description -*Validate handle usage* is a mitigation which helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). +*Validate handle usage* is a mitigation that helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). This mitigation is automatically applied to Windows Store applications. ### Compatibility considerations -Applications which were not accurately tracking handle references, and which were not wrapping these operations in exception handlers, will potentially be impacted by this mitigation. +Applications that were not accurately tracking handle references, and which were not wrapping these operations in exception handlers, will potentially be impacted by this mitigation. ### Configuration options @@ -656,21 +656,21 @@ This mitigation is already applied by default for 64-bit applications and for 32 ### Description -The *validate image dependency* mitigation helps protect against attacks which attempt to substitute code for dlls which are statically linked by Windows binaries. The technique of DLL planting abuses the loader's search mechanism to inject malicious code, which can be used to get malicious code running in an elevated context. When the loader is loading a Windows signed binary, and then loads up any dlls that the binary depends on, these binaries will be verified to ensure that they are also digitally signed as a Windows binary. If they fail the signature check, the dll will not be loaded, and will throw an exception, returning a status of STATUS_INVALID_IMAGE_HASH. +The *validate image dependency* mitigation helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries. The technique of DLL planting abuses the loader's search mechanism to inject malicious code, which can be used to get malicious code running in an elevated context. When the loader is loading a Windows signed binary, and then loads up any dlls that the binary depends on, these binaries will be verified to ensure that they are also digitally signed as a Windows binary. If they fail the signature check, the dll will not be loaded, and will throw an exception, returning a status of STATUS_INVALID_IMAGE_HASH. ### Compatibility considerations -Compatibility issues are uncommon. Applications which depend on replacing Windows binaries with local private versions will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. +Compatibility issues are uncommon. Applications that depend on replacing Windows binaries with local private versions will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Validate stack integrity (StackPivot) ### Description -The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack which controls the flow of execution. +The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack that controls the flow of execution. This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. @@ -713,11 +713,11 @@ The APIs intercepted by this mitigation are: ### Compatibility considerations -Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. -Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation. +Applications that are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. +Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation. This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). From 6f5ff926272f51892f0708291189bd18f4784778 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:12:21 -0800 Subject: [PATCH 21/37] Update exposed-apis-create-app-nativeapp.md --- .../exposed-apis-create-app-nativeapp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index a8b84f7619..a71727d746 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -1,7 +1,7 @@ --- -title: Use Microsoft Defender Advanced Threat Protection APIs +title: Use Microsoft Defender for Endpoint APIs ms.reviewer: -description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender ATP without a user. +description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,15 +24,15 @@ ms.topic: article **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) This page describes how to create an application to get programmatic access to Defender for Endpoint on behalf of a user. -If you need programmatic access Defender for Endpoint without a user, refer to [Access Defender for Endpoint with application context](exposed-apis-create-app-webapp.md). +If you need programmatic access Microsoft Defender for Endpoint without a user, refer to [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md). If you are not sure which access you need, read the [Introduction page](apis-intro.md). -Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an AAD application From 7ddf4a7dc22b24aa79f039694dc52ea0162f0583 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:14:04 -0800 Subject: [PATCH 22/37] Update exposed-apis-create-app-nativeapp.md --- .../exposed-apis-create-app-nativeapp.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index a71727d746..36d9d46439 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -32,18 +32,18 @@ If you need programmatic access Microsoft Defender for Endpoint without a user, If you are not sure which access you need, read the [Introduction page](apis-intro.md). -Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an AAD application - Get an access token using this application - Use the token to access Defender for Endpoint API -This page explains how to create an AAD application, get an access token to Defender for Endpoint and validate the token. +This page explains how to create an AAD application, get an access token to Microsoft Defender for Endpoint and validate the token. >[!NOTE] -> When accessing Defender for Endpoint API on behalf of a user, you will need the correct Application permission and user permission. -> If you are not familiar with user permissions on Defender for Endpoint, see [Manage portal access using role-based access control](rbac.md). +> When accessing Microsoft Defender for Endpoint API on behalf of a user, you will need the correct Application permission and user permission. +> If you are not familiar with user permissions on Microsoft Defender for Endpoint, see [Manage portal access using role-based access control](rbac.md). >[!TIP] > If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. @@ -63,11 +63,11 @@ This page explains how to create an AAD application, get an access token to Defe - **Name:** -Your application name- - **Application type:** Public client -4. Allow your Application to access Defender for Endpoint and assign it 'Read alerts' permission: +4. Allow your Application to access Microsoft Defender for Endpoint and assign it 'Read alerts' permission: - On your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**. - - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + - **Note**: *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear. ![Image of API access and API selection](images/add-permission.png) @@ -98,7 +98,7 @@ This page explains how to create an AAD application, get an access token to Defe ## Get an access token -For more information on AAD token, see [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) +For more information on AAD tokens, see [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) ### Using C# @@ -172,6 +172,6 @@ Verify to make sure you got a correct token: // Do something useful with the response ``` -## Related topics +## See also - [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) -- [Access Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) +- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) From 20599084831e1bc38ac7da0b3b2d1c5a1efb9aec Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:16:00 -0800 Subject: [PATCH 23/37] Update exposed-apis-create-app-partners.md --- .../exposed-apis-create-app-partners.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md index 06355fd20a..638347246b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md @@ -1,7 +1,7 @@ --- -title: Create an Application to access Microsoft Defender ATP without a user +title: Create an Application to access Microsoft Defender for Endpoint without a user ms.reviewer: -description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user. +description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,17 +24,17 @@ ms.topic: article **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -This page describes how to create an Azure Active Directory (Azure AD) application to get programmatic access to Defender for Endpoint on behalf of your customers. +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +This page describes how to create an Azure Active Directory (Azure AD) application to get programmatic access to Microsoft Defender for Endpoint on behalf of your customers. -Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create a **multi-tenant** Azure AD application. - Get authorized(consent) by your customer administrator for your application to access Defender for Endpoint resources it needs. - Get an access token using this application. -- Use the token to access Microsoft Defender ATP API. +- Use the token to access Microsoft Defender for Endpoint API. The following steps will guide you how to create an Azure AD application, get an access token to Microsoft Defender for Endpoint and validate the token. @@ -61,7 +61,7 @@ The following steps will guide you how to create an Azure AD application, get an - On your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**. - - **Note**: WindowsDefenderATP does not appear in the original list. Start writing its name in the text box to see it appear. + - **Note**: *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear. ![Image of API access and API selection](images/add-permission.png) @@ -212,7 +212,7 @@ You will get an answer of the form: Sanity check to make sure you got a correct token: - Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it - Validate you get a 'roles' claim with the desired permissions -- In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender ATP: +- In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender for Endpoint: - The "tid" claim is the tenant ID the token belongs to. ![Image of token validation](images/webapp-decoded-token.png) @@ -236,6 +236,6 @@ Sanity check to make sure you got a correct token: // Do something useful with the response ``` -## Related topics +## See also - [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - [Access Microsoft Defender for Endpoint on behalf of a user](exposed-apis-create-app-nativeapp.md) From 3a5f7d06b3499683cb50c6837b65f5dd2454cd45 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:16:49 -0800 Subject: [PATCH 24/37] Update exposed-apis-create-app-webapp.md --- .../exposed-apis-create-app-webapp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index 5223dab678..ef6b72f749 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -1,7 +1,7 @@ --- -title: Create an app to access Microsoft Defender ATP without a user +title: Create an app to access Microsoft Defender for Endpoint without a user ms.reviewer: -description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user. +description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,11 +24,11 @@ ms.topic: article **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) This page describes how to create an application to get programmatic access to Defender for Endpoint without a user. If you need programmatic access to Defender for Endpoint on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md). If you are not sure which access you need, see [Get started](apis-intro.md). -Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an Azure Active Directory (Azure AD) application. @@ -190,7 +190,7 @@ Ensure that you got the correct token: 1. Copy and paste the token you got in the previous step into [JWT](https://jwt.ms) in order to decode it. 1. Validate that you get a 'roles' claim with the desired permissions -1. In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender ATP's roles: +1. In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender for Endpoint's roles: ![Image of token validation](images/webapp-decoded-token.png) From ed09a7ad6dc7946d05e6f655562d4f3f00c14bac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:18:14 -0800 Subject: [PATCH 25/37] Update exposed-apis-create-app-webapp.md --- .../exposed-apis-create-app-webapp.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index ef6b72f749..c8dad3ff8d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -35,7 +35,7 @@ In general, you’ll need to take the following steps to use the APIs: - Get an access token using this application. - Use the token to access Defender for Endpoint API. -This article explains how to create an Azure AD application, get an access token to Defender for Endpoint, and validate the token. +This article explains how to create an Azure AD application, get an access token to Microsoft Defender for Endpoint, and validate the token. ## Create an app @@ -50,7 +50,7 @@ This article explains how to create an Azure AD application, get an access token 4. To enable your app to access Defender for Endpoint and assign it **'Read all alerts'** permission, on your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** >, type **WindowsDefenderATP**, and then select **WindowsDefenderATP**. > [!NOTE] - > WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + > *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear. ![Image of API access and API selection](images/add-permission.png) @@ -82,9 +82,9 @@ This article explains how to create an Azure AD application, get an access token ![Image of created app id](images/app-and-tenant-ids.png) -8. **For Defender for Endpoint Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted: +8. **For Microsoft Defender for Endpoint Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted: - - Go to **Authentication**, and add https://portal.azure.com as the **Redirect URI**. + - Go to **Authentication**, and add `https://portal.azure.com` as the **Redirect URI**. - On the bottom of the page, under **Supported account types**, select the **Accounts in any organizational directory** application consent for your multi-tenant app. @@ -194,7 +194,7 @@ Ensure that you got the correct token: ![Image of token validation](images/webapp-decoded-token.png) -## Use the token to access Defender for Endpoint API +## Use the token to access Microsoft Defender for Endpoint API 1. Choose the API you want to use. For more information, see [Supported Defender for Endpoint APIs](exposed-apis-list.md). 1. Set the authorization header in the http request you send to "Bearer {token}" (Bearer is the authorization scheme). @@ -213,6 +213,6 @@ The following is an example of sending a request to get a list of alerts **using // Do something useful with the response ``` -## Related topics -- [Supported Defender for Endpoint APIs](exposed-apis-list.md) -- [Access Defender for Endpoint on behalf of a user](exposed-apis-create-app-nativeapp.md) +## See also +- [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint on behalf of a user](exposed-apis-create-app-nativeapp.md) From 09425c9a1dbbb830617857e154e2db7e954160b6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:19:55 -0800 Subject: [PATCH 26/37] Update exposed-apis-create-app-webapp.md --- .../exposed-apis-create-app-webapp.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index c8dad3ff8d..0e4b4ed677 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -58,11 +58,11 @@ This article explains how to create an Azure AD application, get an access token ![Image of API access and API selection](images/application-permissions.png) - Note that you need to select the relevant permissions. 'Read All Alerts' is only an example. For instance: + You need to select the relevant permissions. 'Read All Alerts' is only an example. For instance: - To [run advanced queries](run-advanced-query-api.md), select the 'Run advanced queries' permission. - To [isolate a device](isolate-machine.md), select the 'Isolate machine' permission. - - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + - To determine which permission you need, look at the **Permissions** section in the API you are interested to call. 5. Select **Grant consent**. @@ -105,7 +105,7 @@ This article explains how to create an Azure AD application, get an access token ## Get an access token -For more details on Azure AD tokens, see the [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds). +For more information on Azure AD tokens, see the [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds). ### Use PowerShell @@ -133,10 +133,10 @@ return $token ### Use C#: -The following code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8. +The following code was tested with NuGet Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8. 1. Create a new console application. -1. Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/). +1. Install NuGet [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/). 1. Add the following: ``` @@ -198,7 +198,7 @@ Ensure that you got the correct token: 1. Choose the API you want to use. For more information, see [Supported Defender for Endpoint APIs](exposed-apis-list.md). 1. Set the authorization header in the http request you send to "Bearer {token}" (Bearer is the authorization scheme). -1. The expiration time of the token is one hour. You can send more then one request with the same token. +1. The expiration time of the token is one hour. You can send more than one request with the same token. The following is an example of sending a request to get a list of alerts **using C#**: ``` From aab0177275050204d7c57baddc04c979ce5bfa40 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:21:48 -0800 Subject: [PATCH 27/37] Update exposed-apis-full-sample-powershell.md --- .../exposed-apis-full-sample-powershell.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index 06358c5580..31142c2936 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -1,7 +1,7 @@ --- title: Advanced Hunting with PowerShell API Guide ms.reviewer: -description: Use these code samples, querying several Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs. +description: Use these code samples, querying several Microsoft Defender for Endpoint APIs. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -26,11 +26,11 @@ ms.date: 09/24/2018 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Full scenario using multiple APIs from Defender for Endpoint. +Full scenario using multiple APIs from Microsoft Defender for Endpoint. In this section, we share PowerShell samples to - Retrieve a token -- Use token to retrieve the latest alerts in Defender for Endpoint +- Use token to retrieve the latest alerts in Microsoft Defender for Endpoint - For each alert, if the alert has medium or high priority and is still in progress, check how many times the device has connected to suspicious URL. **Prerequisite**: You first need to [create an app](apis-intro.md). @@ -117,7 +117,7 @@ $response ``` -## Related topic +## See also - [Microsoft Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using Python](run-advanced-query-sample-python.md) From 7a189b295256c526dab0edf6002de3f15b8bfb8c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:23:46 -0800 Subject: [PATCH 28/37] Update exposed-apis-list.md --- .../exposed-apis-list.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md index 878180dc45..785ac39e0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md @@ -1,7 +1,7 @@ --- -title: Supported Microsoft Defender Advanced Threat Protection APIs +title: Supported Microsoft Defender for Endpoint APIs ms.reviewer: -description: Learn about the specific supported Microsoft Defender Advanced Threat Protection entities where you can create API calls to. +description: Learn about the specific supported Microsoft Defender for Endpoint entities where you can create API calls to. keywords: apis, supported apis, actor, alerts, device, user, domain, ip, file, advanced queries, advanced hunting search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,11 +24,11 @@ ms.topic: article **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -## End Point URI and Versioning +## Endpoint URI and versioning -### End Point URI: +### Endpoint URI: > The service base URI is: https://api.securitycenter.windows.com > @@ -40,7 +40,7 @@ ms.topic: article > > The current version is **V1.0**. > -> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts +> To use a specific version, use this format: `https://api.securitycenter.windows.com/api/{Version}`. For example: `https://api.securitycenter.windows.com/api/v1.0/alerts` > > If you don't specify any version (e.g. https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. @@ -53,17 +53,17 @@ Topic | Description :---|:--- Advanced Hunting | Run queries from API. Alerts | Run API calls such as get alerts, create alert, update alert and more. -Domains | Run API calls such as get domain related devices, domain statistics and more. +Domains | Run API calls such as get domain-related devices, domain statistics and more. Files | Run API calls such as get file information, file related alerts, file related devices, and file statistics. -IPs | Run API calls such as get IP related alerts and get IP statistics. +IPs | Run API calls such as get IP-related alerts and get IP statistics. Machines | Run API calls such as get devices, get devices by ID, information about logged on users, edit tags and more. Machine Actions | Run API call such as Isolation, Run anti-virus scan and more. Indicators | Run API call such as create Indicator, get Indicators and delete Indicators. -Users | Run API calls such as get user related alerts and user related devices. +Users | Run API calls such as get user-related alerts and user-related devices. Score | Run API calls such as get exposure score or get device secure score. Software | Run API calls such as list vulnerabilities by software. Vulnerability | Run API calls such as list devices by vulnerability. -Recommendation | Run API calls such as Get recommendation by Id. +Recommendation | Run API calls such as Get recommendation by ID. -## Related topic +## See also - [Microsoft Defender for Endpoint APIs](apis-intro.md) From df11b00d33ada7f1374e76edde17048fb15fb6fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:26:18 -0800 Subject: [PATCH 29/37] Update exposed-apis-odata-samples.md --- .../exposed-apis-odata-samples.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index 9bf1f16482..b4a487ffbe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -1,7 +1,7 @@ --- -title: OData queries with Microsoft Defender ATP +title: OData queries with Microsoft Defender for Endpoint ms.reviewer: -description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP. +description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender for Endpoint. keywords: apis, supported apis, odata, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -320,7 +320,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g ### Example 6 -Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP +Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint ```http HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' @@ -364,5 +364,5 @@ HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415 4 ``` -## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +## See also +- [Microsoft Defender for Endpoint APIs](apis-intro.md) From c9228e8b401399504fc6ff7b0441fa062c93e479 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:27:51 -0800 Subject: [PATCH 30/37] Update feedback-loop-blocking.md --- .../microsoft-defender-atp/feedback-loop-blocking.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md index f8a0036aa3..b5ac0c1ea5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md @@ -1,7 +1,7 @@ --- title: Feedback-loop blocking -description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender ATP -keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender ATP +description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint +keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender for Endpoint search.product: eADQiWindows 10XVcnh ms.pagetype: security author: denisebmsft @@ -29,7 +29,7 @@ ms.collection: ## Overview -Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks. +Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks. ## How feedback-loop blocking works @@ -42,9 +42,9 @@ With rapid protection in place, an attack can be stopped on a device, other devi If your organization is using Defender for Endpoint, feedback-loop blocking is enabled by default. However, rapid protection occurs through a combination of Defender for Endpoint capabilities, machine learning protection features, and signal-sharing across Microsoft security services. Make sure the following features and capabilities of Defender for Endpoint are enabled and configured: -- [Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) +- [Microsoft Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) -- [Devices onboarded to Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) +- [Devices onboarded to Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) - [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) From 31e27dd219cb1a6608fb4ab5066acd525ac9040f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:30:29 -0800 Subject: [PATCH 31/37] Update fetch-alerts-mssp.md --- .../fetch-alerts-mssp.md | 21 ++++++------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md index 3838221082..a4f175566c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md @@ -26,7 +26,7 @@ ms.topic: article - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) >[!NOTE] @@ -39,7 +39,7 @@ There are two ways you can fetch alerts: ## Fetch alerts into your SIEM -To fetch alerts into your SIEM system you'll need to take the following steps: +To fetch alerts into your SIEM system, you'll need to take the following steps: Step 1: Create a third-party application @@ -47,21 +47,15 @@ Step 2: Get access and refresh tokens from your customer's tenant Step 3: allow your application on Microsoft Defender Security Center - - - ### Step 1: Create an application in Azure Active Directory (Azure AD) -You'll need to create an application and grant it permissions to fetch alerts from your customer's Defender for Endpoint tenant. - +You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender for Endpoint tenant. 1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/). 2. Select **Azure Active Directory** > **App registrations**. - 3. Click **New registration**. - 4. Specify the following values: @@ -80,7 +74,6 @@ You'll need to create an application and grant it permissions to fetch alerts fr 9. Click **New client secret**. - - Description: Enter a description for the key. - Expires: Select **In 1 year** @@ -163,12 +156,10 @@ After providing your credentials, you'll need to grant consent to the applicatio 7. You'll be asked to provide your credentials and consent. Ignore the page redirect. 8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. - ### Step 3: Allow your application on Microsoft Defender Security Center You'll need to allow the application you created in Microsoft Defender Security Center. - You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you. 1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID. @@ -182,10 +173,10 @@ You'll need to have **Manage portal system settings** permission to allow the ap 5. Click **Authorize application**. -You can now download the relevant configuration file for your SIEM and connect to the Defender for Endpoint API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md). +You can now download the relevant configuration file for your SIEM and connect to the Defender for Endpoint API. For more information, see, [Pull alerts to your SIEM tools](configure-siem.md). -- In the ArcSight configuration file / Splunk Authentication Properties file ? you will have to write your application key manually by settings the secret value. +- In the ArcSight configuration file / Splunk Authentication Properties file, write your application key manually by setting the secret value. - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). ## Fetch alerts from MSSP customer's tenant using APIs @@ -193,7 +184,7 @@ You can now download the relevant configuration file for your SIEM and connect t For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md). -## Related topics +## See also - [Grant MSSP access to the portal](grant-mssp-access.md) - [Access the MSSP customer portal](access-mssp-portal.md) - [Configure alert notifications](configure-mssp-notifications.md) From c722e10fc87927b8f89a0c16c4c109bbb427d0d3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:34:11 -0800 Subject: [PATCH 32/37] Update files.md --- .../microsoft-defender-atp/files.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md index 73860bca59..6289c8645b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/files.md @@ -1,6 +1,6 @@ --- title: File resource type -description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts related to files. +description: Retrieve recent Microsoft Defender for Endpoint alerts related to files. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Represent a file entity in Defender for Endpoint. @@ -37,24 +37,24 @@ Method|Return Type |Description ## Properties -Property | Type | Description -:---|:---|:--- -sha1 | String | Sha1 hash of the file content -sha256 | String | Sha256 hash of the file content -globalPrevalence | Nullable long | File prevalence across organization -globalFirstObserved | DateTimeOffset | First time the file was observed. -globalLastObserved | DateTimeOffset | Last time the file was observed. -size | Nullable long | Size of the file. -fileType | String | Type of the file. -isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.) -filePublisher | String | File publisher. -fileProductName | String | Product name. -signer | String | File signer. -issuer | String | File issuer. -signerHash | String | Hash of the signing certificate. -isValidCertificate | Boolean | Was signing certificate successfully verified by Defender for Endpoint agent. -determinationType | String | The determination type of the file. -determinationValue | String | Determination value. +|Property | Type | Description | +|:---|:---|:---| +|sha1 | String | Sha1 hash of the file content | +|sha256 | String | Sha256 hash of the file content | +|globalPrevalence | Nullable long | File prevalence across organization | +|globalFirstObserved | DateTimeOffset | First time the file was observed | +|globalLastObserved | DateTimeOffset | Last time the file was observed | +|size | Nullable long | Size of the file | +|fileType | String | Type of the file | +|isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.) | +|filePublisher | String | File publisher | +|fileProductName | String | Product name | +|signer | String | File signer | +|issuer | String | File issuer | +|signerHash | String | Hash of the signing certificate | +|isValidCertificate | Boolean | Was signing certificate successfully verified by Microsoft Defender for Endpoint agent | +|determinationType | String | The determination type of the file | +|determinationValue | String | Determination value | ## Json representation From 850275ae10ad5b749884034f1abd13d3b3173b9d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:35:00 -0800 Subject: [PATCH 33/37] Update find-machines-by-ip.md --- .../microsoft-defender-atp/find-machines-by-ip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index 5b69969d33..3db35c6164 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Find [Machines](machine.md) seen with the requested internal IP in the time rang ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- From 6029b01526cbffe74f7798c440bc5e15d4cecaa1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:37:25 -0800 Subject: [PATCH 34/37] Update fix-unhealthy-sensors.md --- .../fix-unhealthy-sensors.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md index 30dff867d7..10e0e3eb28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md @@ -1,5 +1,5 @@ --- -title: Fix unhealthy sensors in Microsoft Defender ATP +title: Fix unhealthy sensors in Microsoft Defender for Endpoint description: Fix device sensors that are reporting as misconfigured or inactive so that the service receives data from the device. keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/23/2017 +ms.date: 11/06/2020 --- # Fix unhealthy sensors in Microsoft Defender for Endpoint @@ -29,8 +29,7 @@ ms.date: 10/23/2017 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-fixsensor-abovefoldlink) +Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-fixsensor-abovefoldlink) Devices that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a device to be categorized as inactive or misconfigured. @@ -38,17 +37,18 @@ Devices that are categorized as misconfigured or inactive can be flagged due to An inactive device is not necessarily flagged due to an issue. The following actions taken on a device can cause a device to be categorized as inactive: -**Device is not in use**
+### Device is not in use + If the device has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal. -**Device was reinstalled or renamed**
+### Device was reinstalled or renamed A reinstalled or renamed device will generate a new device entity in Microsoft Defender Security Center. The previous device entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally. -**Device was offboarded**
+### Device was offboarded If the device was offboarded it will still appear in devices list. After 7 days, the device health state should change to inactive. -**Device is not sending signals** +### Device is not sending signals If the device is not sending any signals for more than 7 days to any of the Defender for Endpoint channels for any reason including conditions that fall under misconfigured devices classification, a device can be considered inactive. @@ -65,7 +65,7 @@ This status indicates that there's limited communication between the device and The following suggested actions can help fix issues related to a misconfigured device with impaired communications: - [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)
- The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. + The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. - [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs. @@ -77,10 +77,10 @@ A misconfigured device with status ‘No sensor data’ has communication with t Follow theses actions to correct known issues related to a misconfigured device with status ‘No sensor data’: - [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)
- The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. + The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. - [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
- Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. + Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs. - [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)
If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. @@ -90,5 +90,5 @@ If your devices are running a third-party antimalware client, the Defender for E If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). -## Related topic -- [Check sensor health state in Defender for Endpoint](check-sensor-status.md) +## See also +- [Check sensor health state in Microsoft Defender for Endpoint](check-sensor-status.md) From 3520b68b545fdbede1ee677c792603bb11125062 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:38:52 -0800 Subject: [PATCH 35/37] Update fix-unhealthy-sensors.md --- .../microsoft-defender-atp/fix-unhealthy-sensors.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md index 10e0e3eb28..df09d1f6f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md @@ -39,17 +39,17 @@ An inactive device is not necessarily flagged due to an issue. The following act ### Device is not in use -If the device has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal. +If the device has not been in use for more than seven days for any reason, it will remain in an ‘Inactive’ status in the portal. ### Device was reinstalled or renamed A reinstalled or renamed device will generate a new device entity in Microsoft Defender Security Center. The previous device entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally. ### Device was offboarded -If the device was offboarded it will still appear in devices list. After 7 days, the device health state should change to inactive. +If the device was offboarded, it will still appear in devices list. After seven days, the device health state should change to inactive. ### Device is not sending signals -If the device is not sending any signals for more than 7 days to any of the Defender for Endpoint channels for any reason including conditions that fall under misconfigured devices classification, a device can be considered inactive. +If the device is not sending any signals for more than seven days to any of the Microsoft Defender for Endpoint channels for any reason including conditions that fall under misconfigured devices classification, a device can be considered inactive. Do you expect a device to be in ‘Active’ status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). From ce2bf055d879affdebccb9e35614e75388048784 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:44:43 -0800 Subject: [PATCH 36/37] fixes --- .../microsoft-defender-atp/exploit-protection-reference.md | 2 +- .../exposed-apis-create-app-nativeapp.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 8e0b432b66..ba855cf88a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -402,7 +402,7 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose. -Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019) linker option, and this mitigation has the same effect. +Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019&preserve-view=true) linker option, and this mitigation has the same effect. When the memory manager is mapping in the image into the process, Mandatory ASLR will forcibly rebase DLLs and EXEs that have not opted in to ASLR. Note, however, that this rebasing has no entropy, and can therefore be placed at a predictable location in memory. For rebased and randomized location of binaries, this mitigation should be paired with [Randomize memory allocations (Bottom-up ASLR)](#randomize-memory-allocations-bottom-up-aslr). diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 36d9d46439..4bbd942ec8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -69,11 +69,11 @@ This page explains how to create an AAD application, get an access token to Micr - **Note**: *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear. - ![Image of API access and API selection](images/add-permission.png) + ![add permission](images/add-permission.png) - Choose **Delegated permissions** > **Alert.Read** > select **Add permissions** - ![Image of API access and API selection](images/application-permissions-public-client.png) + ![application permissions](images/application-permissions-public-client.png) - **Important note**: Select the relevant permissions. Read alerts is only an example. From 6f2c538b4c9ba2c714f4f9340a49a88e4dda209a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 6 Nov 2020 12:47:42 -0800 Subject: [PATCH 37/37] fixes --- .../exposed-apis-create-app-partners.md | 4 ++-- .../exposed-apis-create-app-webapp.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md index 638347246b..e2de608fbd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md @@ -63,7 +63,7 @@ The following steps will guide you how to create an Azure AD application, get an - **Note**: *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear. - ![Image of API access and API selection](images/add-permission.png) + ![add permission](images/add-permission.png) ### Request API permissions @@ -77,7 +77,7 @@ The following steps will guide you how to create an Azure AD application, get an Choose **Application permissions** > **Alert.Read.All** > select on **Add permissions** - ![Image of API access and API selection](images/application-permissions.png) + ![app permissions](images/application-permissions.png) 5. Select **Grant consent** diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index 0e4b4ed677..a7584847f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -52,11 +52,11 @@ This article explains how to create an Azure AD application, get an access token > [!NOTE] > *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear. - ![Image of API access and API selection](images/add-permission.png) + ![add permission](images/add-permission.png) - Select **Application permissions** > **Alert.Read.All**, and then select **Add permissions**. - ![Image of API access and API selection](images/application-permissions.png) + ![app permission](images/application-permissions.png) You need to select the relevant permissions. 'Read All Alerts' is only an example. For instance: @@ -69,7 +69,7 @@ This article explains how to create an Azure AD application, get an access token > [!NOTE] > Every time you add a permission, you must select **Grant consent** for the new permission to take effect. - ![Image of Grant permissions](images/grant-consent.png) + ![Grant permissions](images/grant-consent.png) 6. To add a secret to the application, select **Certificates & secrets**, add a description to the secret, and then select **Add**.