diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 056064b880..39d7708dde 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -44,7 +44,7 @@ This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable. Room control systems use common meeting-room scenarios for commands. Commands originate from the room control system, and are communicated over a serial connection to a Surface Hub. Commands are ASCII based, and the Surface Hub will acknowledge when state changes occur. -The following command modifiers are available. Commands terminate with a new line character (/n). Responses can come at any time in response to state changes not triggered directly by a management port command. +The following command modifiers are available. Commands terminate with a new line character (\n). Responses can come at any time in response to state changes not triggered directly by a management port command. | Modifier | Result | | --- | --- | diff --git a/education/windows/index.md b/education/windows/index.md index 49ea89c1eb..9d3f183b1d 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -44,7 +44,7 @@ author: CelesteDG

[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.

Try it out: Windows 10 deployment (for education)
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.

For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.

-### ![Switch to Windows 10 for Education](images/windows.png) Switch +## ![Switch to Windows 10 for Education](images/windows.png) Switch

[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.

diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 7c998c3e0b..39f0826ba4 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -70,7 +70,7 @@ To make this as seamless as possible, in your Azure AD tenant: ![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png) -- Clear your Azure AD tokens from time to time. Your tenant can only have 50 automated Azure AD tokens active at any one time. +- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time. In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these. diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md index e5affe8444..a42e464435 100644 --- a/education/windows/switch-to-pro-education.md +++ b/education/windows/switch-to-pro-education.md @@ -159,7 +159,7 @@ Once you enable the setting to switch to Windows 10 Pro Education, the switch wi **To turn on the automatic switch to Windows 10 Pro Education** -1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/) with your work or school account. +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account. If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use. @@ -341,7 +341,7 @@ Once the automatic switch to Windows 10 Pro Education is turned off, the change **To roll back Windows 10 Pro Education to Windows 10 Pro** -1. Log in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch. +1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic switch. 2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. 3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md index e2266ea8a6..637220cb67 100644 --- a/store-for-business/update-windows-store-for-business-account-settings.md +++ b/store-for-business/update-windows-store-for-business-account-settings.md @@ -61,13 +61,13 @@ Taxes for Microsoft Store for Business purchases are determined by your business - Switzerland - United Kingdom -These countries can provide their VAT number or local equivalent in **Payments & billing**. However, they can only acquire free apps. +These countries can provide their VAT number or local equivalent in **Payments & billing**. |Market| Tax identifier | |------|----------------| -| Brazil | CPNJ (required), CCMID (optional) | -| India | CST ID, VAT ID | -| Taiwan | Unified business number| +| Brazil | CNPJ (required) | +| India | CST ID, VAT ID (both are optional) | +| Taiwan | VAT ID (optional) | ### Tax-exempt status diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md index 92902b6347..0edcf1dfa2 100644 --- a/store-for-business/windows-store-for-business-overview.md +++ b/store-for-business/windows-store-for-business-overview.md @@ -157,6 +157,193 @@ For more information, see [Manage settings in the Store for Business](manage-set Microsoft Store for Business and Education is currently available in these markets. + +### Support for free and paid apps @@ -294,22 +481,29 @@ Microsoft Store for Business and Education is currently available in these marke
Support for free and paid apps
- - - - - - - -
Support for free apps only
-
    -
  • Brazil
    • -
  • India
    • -
  • Russia
    • -
  • Taiwan
    • -
  • Ukraine
    • -
-
+### Support for free apps +Customers in these markets can use Microsoft Store for Business and Education to acquire free apps: +- India +- Russia + +### Support for free apps and Minecraft: Education Edition +Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition: +- Brazil +- Taiwan +- Ukraine + +This table summarize what customers can purchase, depending on which Microsoft Store they are using. + +| Store | Free apps | Minecraft: Education Edition | +| ----- | --------- | ---------------------------- | +| Microsoft Store for Business | supported | not supported | +| Microsoft Store for Education | supported | supported; invoice payment required | + +> [!NOTE] +> **Microsoft Store for Education customers with support for free apps and Minecraft: Education Edition** +- Admins can acquire free apps from **Microsoft Store for Education**. +- Admins need to use an invoice to purchase **Minecraft: Education Edition**. For more information, see [Invoice payment option](https://docs.microsoft.com/education/windows/school-get-minecraft#invoices). +- Teachers, or people with the Basic Purachaser role, can acquire free apps, but not **Minecraft: Education Edition**. ## Privacy notice diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md index c1713b7bac..c5c53ac5e6 100644 --- a/windows/access-protection/enterprise-certificate-pinning.md +++ b/windows/access-protection/enterprise-certificate-pinning.md @@ -71,141 +71,41 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ The PinRules element can have the following attributes. For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). -- **Duration** or **NextUpdate** - - Specifies when the Pin Rules will expire. - Either is required. - **NextUpdate** takes precedence if both are specified. - - **Duration**, represented as an XML TimeSpan data type, does not allow years and months. - You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. - - **Required?** Yes. At least one is required. - -- **LogDuration** or **LogEndDate** - - Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. - - **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. - - You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. - - If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. - - **Required?** No. - -- **ListIdentifier** - - Provides a friendly name for the list of pin rules. - Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Duration** or **NextUpdate** | Specifies when the Pin Rules will expire. Either is required. **NextUpdate** takes precedence if both are specified.
**Duration**, represented as an XML TimeSpan data type, does not allow years and months. You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. | **Required?** Yes. At least one is required. | +| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months.
If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | +| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). | No. | #### PinRule Element -The **PinRule** element can have the following attributes: +The **PinRule** element can have the following attributes. -- **Name** - - Uniquely identifies the **PinRule**. - Windows uses this attribute to identify the element for a parsing error or for verbose output. - The attribute is not included in the generated certificate trust list (CTL). - - **Required?** Yes. - -- **Error** - - Describes the action Windows performs when it encounters a PIN mismatch. - You can choose from the following string values: - - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. - - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site. - - **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. - - **Required?** No. - -- **Log** - - A Boolean value represent as string that equals **true** or **false**. - By default, logging is enabled (**true**). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Name** | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute is not included in the generated certificate trust list (CTL). | Yes.| +| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. | +| **Log** | A Boolean value represent as string that equals **true** or **false**. By default, logging is enabled (**true**). | No. | #### Certificate element -The **Certificate** element can have the following attributes: +The **Certificate** element can have the following attributes. -- **File** - - Path to a file containing one or more certificates. - Where the certificate(s) can be encoded as: - - single certificate - - p7b - - sst. - - These files can also be Base64 formatted. - All **Site** elements included in the same **PinRule** element can match any of these certificates. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **Directory** - - Path to a directory containing one or more of the above certificate files. - Skips any files not containing any certificates. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **Base64** - - Base64 encoded certificate(s). - Where the certificate(s) can be encoded as: - - single certificate - - p7b - - sst. - - This allows the certificates to be included in the XML file without a file directory dependency. - - > [!Note] - > You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **EndDate** - - Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. - - If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates. - - If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL. - - For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory or Base64 must be present). | +| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory or Base64 must be present). | +| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory or Base64 must be present). | +| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.| #### Site element -The **Site** element can have the following attributes: +The **Site** element can have the following attributes. -- **Domain** - - Contains the DNS name to be matched for this pin rule. - When creating the certificate trust list, the parser normalizes the input name string value as follows: - - If the DNS name has a leading "*" it is removed. - - Non-ASCII DNS name are converted to ASCII Puny Code. - - Upper case ASCII characters are converted to lower case. - - If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. - For example, ".xyz.com" would match "abc.xyz.com". - - **Required?** Yes. - -- **AllSubdomains** - - By default, wildcard left hand label matching is restricted to a single left hand label. - This attribute can be set to "true" to enable wildcard matching of all of the left hand labels. - - For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value. - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*" it is removed.
- Non-ASCII DNS name are converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| +| **AllSubdomains** | By default, wildcard left hand label matching is restricted to a single left hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.| ### Create a Pin Rules Certificate Trust List @@ -289,9 +189,12 @@ Sign-in to the reference computer using domain administrator equivalent credenti 8. Right-click the **Registry** node and click **New**. 9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list. 10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name: + HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config + Click **Select** to close the **Registry Item Browser**. -11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. + +11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png) @@ -302,10 +205,6 @@ Sign-in to the reference computer using domain administrator equivalent credenti To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules. -```code -HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config -``` - | Name | Value | |------|-------| | Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config | diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 120dc8ffe8..57e0175c71 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -9,5 +9,5 @@ ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) -## [Mobile Device Management](mdm/index.md) +## [Mobile device management protocol](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md index a7c3befabe..69f6f73aa0 100644 --- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md @@ -191,7 +191,7 @@ To see the Notebooks that your Azure AD account has access to, tap **More Notebo ## Use Windows Store for Business -[Windows Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Windows Store for Business portal can be installed by users. +[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users. ![company tab on store](images/aadjwsfb.jpg) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 35f400979f..ead7fdaf03 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -141,6 +141,8 @@ #### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md) #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md) ### [FileSystem CSP](filesystem-csp.md) +### [Firewall CSP](firewall-csp.md) +#### [Firewall DDF file](firewall-ddf-file.md) ### [HealthAttestation CSP](healthattestation-csp.md) #### [HealthAttestation DDF](healthattestation-ddf.md) ### [HotSpot CSP](hotspot-csp.md) diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index d0496bd254..a395891a14 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -3,7 +3,6 @@ title: ActiveSync CSP description: ActiveSync CSP ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 5eb142f971..8aa90d6d7c 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -3,7 +3,6 @@ title: ActiveSync DDF file description: ActiveSync DDF file ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index af1553fa7b..e1c6986fe5 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -3,7 +3,6 @@ title: Add an Azure AD tenant and Azure AD subscription description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. ms.assetid: 36D94BEC-A6D8-47D2-A547-EBD7B7D163FA ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index d08e5dbcb7..0746ed4175 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -3,7 +3,6 @@ title: AllJoynManagement CSP description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. ms.assetid: 468E0EE5-EED3-48FF-91C0-89F9D159AA8C ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index ace37aae1a..ebc2840da3 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -3,7 +3,6 @@ title: AllJoynManagement DDF description: AllJoynManagement DDF ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index ec34c9a81f..463b2e0c07 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -3,7 +3,6 @@ title: APPLICATION configuration service provider description: APPLICATION configuration service provider ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/applicationrestrictions-xsd.md b/windows/client-management/mdm/applicationrestrictions-xsd.md index c6e882ee8b..312d90524e 100644 --- a/windows/client-management/mdm/applicationrestrictions-xsd.md +++ b/windows/client-management/mdm/applicationrestrictions-xsd.md @@ -3,7 +3,6 @@ title: ApplicationRestrictions XSD description: Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy. ms.assetid: A5AA2B59-3736-473E-8F70-A90FD61EE426 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index c457da3bc9..a73544002c 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -3,7 +3,6 @@ title: AppLocker CSP description: AppLocker CSP ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index 774901b209..e332216b02 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -3,7 +3,6 @@ title: AppLocker DDF file description: AppLocker DDF file ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md index b5d6411467..1d578d006d 100644 --- a/windows/client-management/mdm/applocker-xsd.md +++ b/windows/client-management/mdm/applocker-xsd.md @@ -3,7 +3,6 @@ title: AppLocker XSD description: Here's the XSD for the AppLocker CSP. ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 87b67a9d85..d7f18cf787 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -2,7 +2,6 @@ title: Deploy and configure App-V apps using MDM description: Deploy and configure App-V apps using MDM ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md index ab8b9b813b..b39d6d9cdf 100644 --- a/windows/client-management/mdm/assign-seats.md +++ b/windows/client-management/mdm/assign-seats.md @@ -3,7 +3,6 @@ title: Assign seat description: The Assign seat operation assigns seat for a specified user in the Windows Store for Business. ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 6e7d539da0..aad87ff0e5 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -3,7 +3,6 @@ title: AssignedAccess CSP description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. ms.assetid: 421CC07D-6000-48D9-B6A3-C638AAF83984 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index ed03c620a1..4f2fae2306 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -3,7 +3,6 @@ title: AssignedAccess DDF description: AssignedAccess DDF ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 53c8b92d6a..ebdb1d406e 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -3,7 +3,6 @@ title: Azure Active Directory integration with MDM description: Azure Active Directory is the world largest enterprise cloud identity management service. ms.assetid: D03B0765-5B5F-4C7B-9E2B-18E747D504EE ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 49e63bdbb5..308b678f24 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -2,7 +2,6 @@ title: BitLocker CSP description: BitLocker CSP ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows @@ -672,7 +671,7 @@ The following example is provided to show proper format and should not be taken 110 - ./Device/Vendor/MSFT/BitLocker/DisableWarningForOtherDiskEncryption + ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption int diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index d69c1b2024..2b0491ab35 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -2,7 +2,6 @@ title: BitLocker DDF file description: BitLocker DDF file ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index 74305656bd..86259803e4 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -3,7 +3,6 @@ title: BOOTSTRAP CSP description: BOOTSTRAP CSP ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index be9d748a4c..e762d03a4f 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -3,7 +3,6 @@ title: BrowserFavorite CSP description: BrowserFavorite CSP ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index 0cb1f97012..3d370d247f 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -3,7 +3,6 @@ title: Bulk assign and reclaim seats from users description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Windows Store for Business. ms.assetid: 99E2F37D-1FF3-4511-8969-19571656780A ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index e917ea65f5..dca0fac617 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' ms.assetid: DEB98FF3-CC5C-47A1-9277-9EF939716C87 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index e99c32d722..2eb3f56669 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -3,7 +3,6 @@ title: CellularSettings CSP description: CellularSettings CSP ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 7125b67dc1..06d6f265b6 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -3,7 +3,6 @@ title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. ms.assetid: 57DB3C9E-E4C9-4275-AAB5-01315F9D3910 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index 67688768a0..03875bfea6 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' ms.assetid: F910C50C-FF67-40B0-AAB0-CA7CE02A9619 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 28c703b43d..20bda706fb 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -3,7 +3,6 @@ title: CertificateStore CSP description: CertificateStore CSP ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index 4f551c65cd..dce1073030 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -3,7 +3,6 @@ title: CertificateStore DDF file description: This topic shows the OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: D9A12D4E-3122-45C3-AD12-CC4FFAEC08B8 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 200e35dde0..4f2d5cc211 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -2,7 +2,6 @@ title: CleanPC CSP description: The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703. ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index c649a25892..cfbd44cc65 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -3,7 +3,6 @@ title: CleanPC DDF description: This topic shows the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index d32353f0d6..6391e50c7d 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -3,7 +3,6 @@ title: ClientCertificateInstall CSP description: ClientCertificateInstall CSP ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 0453cf2712..d94173af03 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -3,7 +3,6 @@ title: ClientCertificateInstall DDF file description: ClientCertificateInstall DDF file ms.assetid: 7F65D045-A750-4CDE-A1CE-7D152AA060CA ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index fccfdd99d5..94a6e27f51 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -3,7 +3,6 @@ title: CM\_CellularEntries CSP description: CM\_CellularEntries CSP ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 4c69ea0f36..693b4feb34 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -3,7 +3,6 @@ title: CM\_ProxyEntries CSP description: CM\_ProxyEntries CSP ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 02aebafdd1..e83953965b 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -3,7 +3,6 @@ title: CMPolicy CSP description: CMPolicy CSP ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index 020dcd2cf4..a3c9b663bf 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -3,7 +3,6 @@ title: CMPolicyEnterprise CSP description: CMPolicyEnterprise CSP ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 969ffcd881..6305ea17c3 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -3,7 +3,6 @@ title: CMPolicyEnterprise DDF file description: CMPolicyEnterprise DDF file ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index b0f990f84d..7c7746d87a 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -3,7 +3,6 @@ title: Configuration service provider reference description: A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. ms.assetid: 71823658-951f-4163-9c40-c4d4adceaaec ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows @@ -14,7 +13,13 @@ author: nickbrower A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. -For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). See the [list of CSPs supported in Windows Holographic](#hololens) and the [list of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) for additional information. +For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). + +Additional lists: +- [List of CSPs supported in Windows Holographic](#hololens) +- [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) +- [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport) +- [List of CSPs supported in Windows 10 S](#windows10s) The following tables show the configuration service providers support in Windows 10. @@ -1143,6 +1148,34 @@ The following tables show the configuration service providers support in Windows + +[Firewall CSP](firewall-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+ + + + [HealthAttestation CSP](healthattestation-csp.md) @@ -2427,4 +2460,55 @@ Footnotes: - [RootCATrustedCertificates CSP](rootcacertificates-csp.md) - [Update CSP](update-csp.md) - [VPNv2 CSP](vpnv2-csp.md) -- [WiFi CSP](wifi-csp.md) \ No newline at end of file +- [WiFi CSP](wifi-csp.md) + +## CSPs supported in Windows 10 S + +The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that Office CSP and EnterpriseDesktop CSP are not available in Windows 10 S. Here is the list: + +- [ActiveSync CSP](activesync-csp.md) +- [APPLICATION CSP](application-csp.md) +- [AppLocker CSP](applocker-csp.md) +- [BOOTSTRAP CSP](bootstrap-csp.md) +- [CellularSettings CSP](cellularsettings-csp.md) +- [CertificateStore CSP](certificatestore-csp.md) +- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) +- [CM_CellularEntries CSP](cm-cellularentries-csp.md) +- [Defender CSP](defender-csp.md) +- [DevDetail CSP](devdetail-csp.md) +- [DeviceManageability CSP](devicemanageability-csp.md) +- [DeviceStatus CSP](devicestatus-csp.md) +- [DevInfo CSP](devinfo-csp.md) +- [DiagnosticLog CSP](diagnosticlog-csp.md) +- [DMAcc CSP](dmacc-csp.md) +- [DMClient CSP](dmclient-csp.md) +- [EMAIL2 CSP](email2-csp.md) +- [EnterpriseAPN CSP](enterpriseapn-csp.md) +- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +- [HealthAttestation CSP](healthattestation-csp.md) +- [NAP CSP](nap-csp.md) +- [NAPDEF CSP](napdef-csp.md) +- [NetworkProxy CSP](networkproxy-csp.md) +- [NodeCache CSP](nodecache-csp.md) +- [PassportForWork CSP](passportforwork-csp.md) +- [Policy CSP](policy-configuration-service-provider.md) +- [Provisioning CSP](provisioning-csp.md) +- [PROXY CSP](proxy-csp.md) +- [PXLOGICAL CSP](pxlogical-csp.md) +- [Reboot CSP](reboot-csp.md) +- [RemoteFind CSP](remotefind-csp.md) +- [RemoteWipe CSP](remotewipe-csp.md) +- [Reporting CSP](reporting-csp.md) +- [RootCATrustedCertificates CSP](rootcacertificates-csp.md) +- [SecureAssessment CSP](secureassessment-csp.md) +- [SecurityPolicy CSP](securitypolicy-csp.md) +- [SharedPC CSP](sharedpc-csp.md) +- [Storage CSP](storage-csp.md) +- [SUPL CSP](supl-csp.md) +- [Update CSP](update-csp.md) +- [VPNv2 CSP](vpnv2-csp.md) +- [WiFi CSP](wifi-csp.md) +- [Win32AppInventory CSP](win32appinventory-csp.md) +- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +- [WindowsLicensing CSP](windowslicensing-csp.md) diff --git a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md index 46d78a6b53..1d424f8364 100644 --- a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md +++ b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md @@ -3,7 +3,6 @@ title: Create a custom configuration service provider description: Create a custom configuration service provider ms.assetid: 0cb37f03-5bf2-4451-8276-23f4a1dee33f ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index b99e1d2199..955159f333 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -3,7 +3,6 @@ title: CustomDeviceUI CSP description: CustomDeviceUI CSP ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 94130a9b32..d44a97a49e 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -3,7 +3,6 @@ title: CustomDeviceUI DDF description: CustomDeviceUI DDF ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 0646c7bc07..18b093df38 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -6,7 +6,6 @@ MS-HAID: ms.assetid: ABE44EC8-CBE5-4775-BA8A-4564CB73531B description: ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 59e3660ede..71e91e480e 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -3,7 +3,6 @@ title: Defender CSP description: Defender CSP ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 31ca0530a1..f6856761c6 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -3,7 +3,6 @@ title: Defender DDF file description: Defender DDF file ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/design-a-custom-windows-csp.md b/windows/client-management/mdm/design-a-custom-windows-csp.md index ee858ca624..ed969ccbee 100644 --- a/windows/client-management/mdm/design-a-custom-windows-csp.md +++ b/windows/client-management/mdm/design-a-custom-windows-csp.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.design\_a\_custom\_windows\_csp' ms.assetid: 0fff9516-a71a-4036-a57b-503ef1a81a37 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index c810f7d31f..40ee770991 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -3,7 +3,6 @@ title: DevDetail CSP description: DevDetail CSP ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index a3217cdadc..e7fbbcac7a 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -3,7 +3,6 @@ title: DevDetail DDF file description: DevDetail DDF file ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index d92e96d1e3..1a00b5f67c 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -3,7 +3,6 @@ title: DeveloperSetup CSP description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the next major update of Windows 10. ms.assetid: ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md index 660a18ec77..b9a3348cca 100644 --- a/windows/client-management/mdm/developersetup-ddf.md +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -3,7 +3,6 @@ title: DeveloperSetup DDF file description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703. ms.assetid: ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index cad723b3b8..724d2abe69 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -3,7 +3,6 @@ title: Device update management description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index 13abaa5b13..55339fb966 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -3,7 +3,6 @@ title: DeviceInstanceService CSP description: DeviceInstanceService CSP ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 5403558daf..47a36d95c3 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -3,7 +3,6 @@ title: DeviceLock CSP description: DeviceLock CSP ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index 98d620d507..466bcbbf38 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -3,7 +3,6 @@ title: DeviceLock DDF file description: DeviceLock DDF file ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 2c1a4e9057..8adc363d59 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -3,7 +3,6 @@ title: DeviceManageability CSP description: The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index b9c5e0fdd3..1adb50855e 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -3,7 +3,6 @@ title: DeviceManageability DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. ms.assetid: D7FA8D51-95ED-40D2-AA84-DCC4BBC393AB ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index b471da5411..e89043b5c1 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -3,7 +3,6 @@ title: DeviceStatus CSP description: The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies. ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 588f29b1f0..b0e6ad935c 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -3,7 +3,6 @@ title: DeviceStatus DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: 780DC6B4-48A5-4F74-9F2E-6E0D88902A45 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index 0c8c7c1b4a..b11d4a12cf 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -3,7 +3,6 @@ title: DevInfo CSP description: DevInfo CSP ms.assetid: d3eb70db-1ce9-4c72-a13d-651137c1713c ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 5214e026e2..0ee45fd363 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -3,7 +3,6 @@ title: DevInfo DDF file description: DevInfo DDF file ms.assetid: beb07cc6-4133-4c0f-aa05-64db2b4a004f ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 19d242e2e3..d4c94639bd 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -3,7 +3,6 @@ title: Diagnose MDM failures in Windows 10 description: To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs. ms.assetid: 12D8263B-D839-4B19-9346-31E0CDD0CBF9 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 23d67f69aa..da0d026cab 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -3,7 +3,6 @@ title: DiagnosticLog CSP description: DiagnosticLog CSP ms.assetid: F76E0056-3ACD-48B2-BEA1-1048C96571C3 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index c976e89478..48154f0bad 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -3,7 +3,6 @@ title: DiagnosticLog DDF description: DiagnosticLog DDF ms.assetid: 9DD75EDA-5913-45B4-9BED-20E30CDEBE16 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index fea3b73003..29889b69f1 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' ms.assetid: 33B2B248-631B-451F-B534-5DA095C4C8E8 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 42e82c15ec..df7701702a 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -3,7 +3,6 @@ title: DMAcc CSP description: DMAcc CSP ms.assetid: 43e73d8a-6617-44e7-8459-5c96f4422e63 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index 9cc26d9a12..dbca78b881 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -3,7 +3,6 @@ title: DMAcc DDF file description: DMAcc DDF file ms.assetid: 44dc99aa-2a85-498b-8f52-a81863765606 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index eab55f3703..59c7ae444e 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -3,7 +3,6 @@ title: DMClient CSP description: The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment. ms.assetid: a5cf35d9-ced0-4087-a247-225f102f2544 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 1641220415..85bc763412 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -3,7 +3,6 @@ title: DMClient DDF file description: DMClient DDF file ms.assetid: A21B33AF-DB76-4059-8170-FADF2CB898A0 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index ff07133734..c78e43cc7d 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -13,7 +13,6 @@ api_location: api_type: - DllExport ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 4e627cc08b..17fa2ec201 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -2,7 +2,6 @@ title: DMSessionActions CSP description: DMSessionActions CSP ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index f96a99e0ff..1983b804cc 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -2,7 +2,6 @@ title: DMSessionActions DDF file description: DMSessionActions DDF file ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 9e4dc56f99..b0a286169f 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -2,7 +2,6 @@ title: DynamicManagement CSP description: DynamicManagement CSP ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index 7cdf22b682..c1b15243de 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -3,7 +3,6 @@ title: DynamicManagement DDF file description: DynamicManagement DDF file ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 55a6888c65..23d7112ba0 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -3,7 +3,6 @@ title: EAP configuration description: The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10. ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 7537cd4963..54fe0d1273 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -3,7 +3,6 @@ title: EMAIL2 CSP description: EMAIL2 CSP ms.assetid: bcfc9d98-bc2e-42c6-9b81-0b5bf65ce2b8 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index 64ad2fbaa6..58614e459a 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -3,7 +3,6 @@ title: EMAIL2 DDF file description: EMAIL2 DDF file ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index 04e9d4457f..6fc5284a64 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -3,7 +3,6 @@ title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld d description: Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index 6d9ccda275..d6b71a088d 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -3,7 +3,6 @@ title: Enterprise app management description: This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. ms.assetid: 225DEE61-C3E3-4F75-BC79-5068759DFE99 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 24637fdf9c..c61db977e9 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -3,7 +3,6 @@ title: EnterpriseAPN CSP description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. ms.assetid: E125F6A5-EE44-41B1-A8CC-DF295082E6B2 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 72eff006bc..8d656ebb72 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -3,7 +3,6 @@ title: EnterpriseAPN DDF description: EnterpriseAPN DDF ms.assetid: A953ADEF-4523-425F-926C-48DA62EB9E21 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index cdea336b26..4067c76438 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -3,7 +3,6 @@ title: EnterpriseAppManagement CSP description: EnterpriseAppManagement CSP ms.assetid: 698b8bf4-652e-474b-97e4-381031357623 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index e5d081b0e6..17b4288eb5 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -2,7 +2,6 @@ title: EnterpriseAppVManagement CSP description: EnterpriseAppVManagement CSP ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 32b45dd1f0..19c14ddfc4 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -2,7 +2,6 @@ title: EnterpriseAppVManagement DDF file description: EnterpriseAppVManagement DDF file ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 895110aca2..ed4d8e0a6e 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -3,7 +3,6 @@ title: EnterpriseAssignedAccess CSP description: EnterpriseAssignedAccess CSP ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows @@ -17,9 +16,8 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra > **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile. -  -For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). +To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. @@ -45,137 +43,103 @@ When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an When using the AssignedAccessXml in a provisioning package using the Windows Imaging and Configuration Designer (ICD) tool, do not use escaped characters. -  +Entry | Description +----------- | ------------ +ActionCenter | You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center. +ActionCenter | Example: `` +ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled; **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md) +ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `` +ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `` +StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx. **Large** - sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx. +StartScreenSize | If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `Large` +Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid). +Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `` +Application | modern app notification +Application | Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2. For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 (zero) indicates the first column, a value of 1 indicates the second column, and so on. Include autoRun as an attribute to configure the application to run automatically. + +Application example: +``` syntax + + + Large + + 0 + 2 + + + +``` + +Entry | Description +----------- | ------------ +Application | Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior. To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar. + +Application example: +``` syntax + + + + + Large + + 1 + 4 + + + + + + + Large + + 1 + 6 + + + + +``` + +Entry | Description +----------- | ------------ +Folder | A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder. + +Folder example: +``` syntax + + + Large + + 0 + 2 + + + +``` +An application that belongs in the folder would add an optional attribute **ParentFolderId**, which maps to **folderId** of the folder. In this case, the location of this application will be located inside the folder. + +``` syntax + + + Medium + + 0 + 0 + + 2 + + +``` + +Entry | Description +----------- | ------------ +Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file. + +> [!Important] +> Do not specify a group entry without a page entry because it will cause an undefined behavior. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EntryDescription

ActionCenter

You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.

-

Example:

-
<ActionCenter enabled="true"></ActionCenter>
-

In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled:

-
    -
  • AboveLock/AllowActionCenterNotifications
    • -
  • AboveLock/AllowToasts
    • -
-

For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)

-

You can also add the following optional attributes to the ActionCenter element to override the default behavior:

-
    -
  • aboveLockToastEnabled
    • -
  • actionCenterNotificationEnabled
    • -
-

Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled).

-

In this example, the Action Center is enabled and both policies are disabled.

-
<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>
-

These optional attributes are independent of each other.

-

In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set.

-
<ActionCenter enabled="true" actionCenterNotificationEnabled="0"/>

StartScreenSize

Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions.

-

Valid values:

-
    -
  • Small sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx.
    • -
  • Large sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx.
    • -
-

If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.

-

Example:

-
<StartScreenSize>Large</StartScreenSize>

Application

Provide the product ID for each app that will be available on the device.

-

You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).

-

To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface.

-
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>
-modern app notification -

Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2.

-

For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 indicates the first column, a value of 1 indicates the second column, and so on.

-

Include autoRun as an attribute to configure the application to run automatically.

-

Example:

-
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}" autoRun="true">
-   <PinToStart>
-      <Size>Large</Size>
-      <Location>
-         <LocationX>0</LocationX>
-         <LocationY>2</LocationY>
-      </Location>
-   </PinToStart>
-</Application>
-

Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior.

-

To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.

-
<Apps>
-    <!-- Outlook Calendar -->
-    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
-aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
-        <PinToStart>
-            <Size>Large</Size>
-            <Location>
-                <LocationX>1</LocationX>
-                <LocationY>4</LocationY>
-            </Location>
-        </PinToStart>
-    </Application>
-    <!-- Outlook Mail-->
-    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
-aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
-        <PinToStart>
-            <Size>Large</Size>
-            <Location>
-                <LocationX>1</LocationX>
-                <LocationY>6</LocationY>
-            </Location>
-        </PinToStart>
-    </Application>
-</Apps>

Folder

A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, folderId is mandatory, folderName is optional, which is the folder name displayed on Start. folderId is a unique unsigned integer for each folder.

-

For example:

-
<Application folderId="4" folderName="foldername">
-    <PinToStart>
-        <Size>Large</Size>
-        <Location>
-            <LocationX>0</LocationX>
-            <LocationY>2</LocationY>
-        </Location>
-    </PinToStart>
-</Application>
-

An application that belongs in the folder would add an optional attribute ParentFolderId, which maps to folderId of the folder. In this case, the location of this application will be located inside the folder.

-
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
-    <PinToStart>
-        <Size>Medium</Size>
-        <Location>
-            <LocationX>0</LocationX>
-            <LocationY>0</LocationY>
-        </Location>
-        <ParentFolderId>2</ParentFolderId>
-    </PinToStart>
-</Application>

Settings

Settings pages

-

Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.

-
-Important  Do not specify a group entry without a page entry because it will cause an undefined behavior. -
-
-  -
  • System (main menu) - SettingsPageGroupPCSystem
      @@ -279,9 +243,14 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl
    • Extensibility - SettingsPageExtensibility
-

Quick action settings

-

Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).

-

Note: Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.

+ +**Quick action settings** + +Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page). + +> [!Note] +> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703. +

  • SystemSettings_System_Display_QuickAction_Brightness

    Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay

    • @@ -316,277 +285,265 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl

  • SystemSettings_QuickAction_Camera

    Dependencies - none

-

In this example, all settings pages and quick action settings are allowed. An empty <Settings> node indicates that none of the settings are blocked.

-
<Settings>
-</Settings>
-

In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.

-
<Settings> 
-  <System name="SettingsPageGroupPCSystem" /> 
-  <System name="SettingsPageDisplay" /> 
-  <System name="SettingsPageAppsNotifications" />
-  <System name="SettingsPageCalls" />
-  <System name="SettingsPageMessaging" /> 
-  <System name="SettingsPageBatterySaver" /> 
-  <System name="SettingsPageStorageSenseStorageOverview" />
-  <System name="SettingsPageGroupPCSystemDeviceEncryption" /> 
-  <System name="SettingsPageDrivingMode" /> 
-  <System name="SettingsPagePCSystemInfo" /> 
- </Settings>
-

To remove access to all of the settings in the system, the settings application would simply not be listed in the app list for a particular role.

Buttons

The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. When a user taps a button that is in the lockdown list, nothing will happen.

+ +In this example, all settings pages and quick action settings are allowed. An empty \ node indicates that none of the settings are blocked. + +``` syntax + + +``` + +In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names. + +``` syntax + + + + + + + + + + + + +``` + +Entry | Description +----------- | ------------ +Buttons | The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. When a user taps a button that is in the lockdown list, nothing will happen. +

  • Start

    -
    -Note   -

    Lock down of the Start button only prevents the press and hold event.

    -
    -
    -  -

  • Back

  • Search

  • Camera

  • Custom1

  • Custom2

    • -

  • Custom3

    -
    -Note   -

    Custom buttons are hardware buttons that can be added to devices by OEMs.

    -
    -
    -  -
    • +

  • Custom3

-

Example:

-
<Buttons>
-   <ButtonLockdownList>
-      <!-- Lockdown all buttons -->
-         <Button name="Search">
-         </Button>
-         <Button name="Camera">
-         </Button>
-         <Button name="Custom1">
-         </Button>
-         <Button name="Custom2">
-         </Button>
-         <Button name="Custom3">
-         </Button>
-   </ButtonLockdownList>
-

The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users.

-
-Note   -

The lockdown settings for a button, per user role, will apply regardless of the button mapping.

-
-
-  -
-
-Warning   -

Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.

-
-
-  -
-

To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open.

-

Example:

-
<ButtonRemapList>
-   <Button name="Search">
-      <ButtonEvent name="Press">
-         <!-- Alarms -->
-         <Application productId="{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}" parameters="" />
-          </ButtonEvent>
-   </Button>
-</ButtonRemapList>
-

Disabling navigation buttons

-

To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press").

-

The following section contains a sample lockdown XML file that shows how to disable navigation buttons.

-

Example:

-
<?xml version="1.0" encoding="utf-8"?>
-<HandheldLockdown version="1.0" >
-    <Default>
-        <ActionCenter enabled="false" />
-        <Apps>
-            <!-- Settings -->
-            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
-                <PinToStart>
-                    <Size>Large</Size>
-                    <Location>
-                        <LocationX>0</LocationX>
-                        <LocationY>0</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
 
-            <!-- Phone Apps -->
-            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
-                <PinToStart>
-                    <Size>Small</Size>
-                    <Location>
-                        <LocationX>2</LocationX>
-                        <LocationY>2</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
-        </Apps>
-        <Buttons>
-            <ButtonLockdownList>
-                <Button name="Start">
-                    <ButtonEvent name="Press" />
-                </Button>
-                <Button name="Back">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Search">
-                    <ButtonEvent name="All" />
-                </Button>
-                <Button name="Camera">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom1">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom2">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom3">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-            </ButtonLockdownList>
-            <ButtonRemapList />
-        </Buttons>
-        <MenuItems>
-            <DisableMenuItems/>
-        </MenuItems>
-        <Settings>
-        </Settings>
-        <Tiles>
-            <EnableTileManipulation/>
-        </Tiles>
-        <StartScreenSize>Small</StartScreenSize>
-    </Default>
-</HandheldLockdown>

MenuItems

Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.

-

Example:

-
<MenuItems>
-   <DisableMenuItems/>
-</MenuItems>
-
-Important   -

If DisableMenuItems is not included in a profile, users of that profile can uninstall apps.

-
-
-  -

Tiles

Turning-on tile manipulation

-

By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile.

-

If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.

-
-Important   -

If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.

-
-
-  -
-

The following sample file contains configuration for enabling tile manipulation.

-
-Note   -

Tile manipulation is disabled when you don’t have a <Tiles> node in lockdown XML, or if you have a <Tiles> node but don’t have the <EnableTileManipulation/> node.

-
-
-  -
-

Example:

-
<?xml version="1.0" encoding="utf-8"?>
-<HandheldLockdown version="1.0" >
-    <Default>
-        <ActionCenter enabled="false" />
-        <Apps>
-            <!-- Settings -->
-            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
-                <PinToStart>
-                    <Size>Large</Size>
-                    <Location>
-                        <LocationX>0</LocationX>
-                        <LocationY>0</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
+> [!Note]  
+> Lock down of the Start button only prevents the press and hold event.  
+>
+> Custom buttons are hardware buttons that can be added to devices by OEMs.
 
-            <!-- Phone Apps -->
-            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
-                <PinToStart>
-                    <Size>Small</Size>
-                    <Location>
-                        <LocationX>2</LocationX>
-                        <LocationY>2</LocationY>
-                    </Location>
-                </PinToStart>
-            </Application>
-        </Apps>
-        <Buttons>
-            <ButtonLockdownList>
-                <Button name="Start">
-                    <ButtonEvent name="Press" />
-                </Button>
-                <Button name="Back">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Search">
-                    <ButtonEvent name="All" />
-                </Button>
-                <Button name="Camera">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom1">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom2">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-                <Button name="Custom3">
-                    <ButtonEvent name="Press" />
-                    <ButtonEvent name="PressAndHold" />
-                </Button>
-            </ButtonLockdownList>
-            <ButtonRemapList />
-        </Buttons>
-        <MenuItems>
-            <DisableMenuItems/>
-        </MenuItems>
-        <Settings>
-        </Settings>
-        <Tiles>
-            <EnableTileManipulation/>
-        </Tiles>
-        <StartScreenSize>Small</StartScreenSize>
-    </Default>
-</HandheldLockdown>

CSP Runner

Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.

+Buttons example: +``` syntax + + + + + + + + + +``` +The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users. +> [!Note] +> The lockdown settings for a button, per user role, will apply regardless of the button mapping. +> +> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role. + +To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open. + +``` syntax + + + +``` +**Disabling navigation buttons** +To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press"). + +The following section contains a sample lockdown XML file that shows how to disable navigation buttons. + +``` syntax + + + + + + + + + Large + + 0 + 0 + + + + + + + + Small + + 2 + 2 + + + + + + + + + + + + + + + + + + + + + + + + + Small + + +``` + +Entry | Description +----------- | ------------ +MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create. + +> [!Important] +> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps. + +MenuItems example: + +``` syntax + + + +``` + +Entry | Description +----------- | ------------ +Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. + +> [!Important] +> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile. + +The following sample file contains configuration for enabling tile manipulation. + +> [!Note] +> Tile manipulation is disabled when you don’t have a `` node in lockdown XML, or if you have a `` node but don’t have the `` node. + +``` syntax + + + + + + + + + Large + + 0 + 0 + + + + + + + + Small + + 2 + 2 + + + + + + + + + + + + + + + + + + + + + + + + + Small + + +``` + +Entry | Description +----------- | ------------ +CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.   **LockscreenWallpaper/** @@ -735,6 +692,8 @@ Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CS **Clock/TimeZone/** An integer that specifies the time zone of the device. The following table shows the possible values. +Supported operations are Get and Replace. + @@ -1162,9 +1121,6 @@ An integer that specifies the time zone of the device. The following table shows
-  - -Supported operations are Get and Replace. **Locale/Language/** The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](http://go.microsoft.com/fwlink/p/?LinkID=189567). @@ -1173,8 +1129,6 @@ The language setting is configured in the Default User profile only. > **Note**  Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required. -  - Supported operations are Get and Replace. ## OMA client provisioning examples diff --git a/windows/client-management/mdm/enterpriseassignedaccess-ddf.md b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md index bb85a45187..f98ed740fe 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-ddf.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md @@ -3,7 +3,6 @@ title: EnterpriseAssignedAccess DDF description: EnterpriseAssignedAccess DDF ms.assetid: 8BD6FB05-E643-4695-99A2-633995884B37 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md index 2ac1b738f1..6d19a5aedd 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md @@ -3,7 +3,6 @@ title: EnterpriseAssignedAccess XSD description: EnterpriseAssignedAccess XSD ms.assetid: BB3B633E-E361-4B95-9D4A-CE6E08D67ADA ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 729267c808..d75ed17826 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -3,7 +3,6 @@ title: EnterpriseDataProtection CSP description: The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings. ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md index d78c14cfb2..a7914046b2 100644 --- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -3,7 +3,6 @@ title: EnterpriseDataProtection DDF file description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider. ms.assetid: C6427C52-76F9-4EE0-98F9-DE278529D459 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 3e2520f4b7..bc056caa35 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -3,7 +3,6 @@ title: EnterpriseDesktopAppManagement CSP description: The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index f50836277d..5bd96246ec 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -3,7 +3,6 @@ title: EnterpriseDesktopAppManagement DDF description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. ms.assetid: EF448602-65AC-4D59-A0E8-779876542FE3 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md index ca8224b478..d5e415b890 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md @@ -3,7 +3,6 @@ title: EnterpriseDesktopAppManagement XSD description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter. ms.assetid: 60980257-4F48-4A68-8E8E-1EF0A3F090E2 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md index ec244216b9..2bb98165d4 100644 --- a/windows/client-management/mdm/enterpriseext-csp.md +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -3,7 +3,6 @@ title: EnterpriseExt CSP description: EnterpriseExt CSP ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md index 1b6e1a911f..06bc4c0198 100644 --- a/windows/client-management/mdm/enterpriseext-ddf.md +++ b/windows/client-management/mdm/enterpriseext-ddf.md @@ -3,7 +3,6 @@ title: EnterpriseExt DDF description: EnterpriseExt DDF ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index ed421b64b9..f6b332a182 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -3,7 +3,6 @@ title: EnterpriseExtFileSystem CSP description: EnterpriseExtFileSystem CSP ms.assetid: F773AD72-A800-481A-A9E2-899BA56F4426 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md index ea6046e935..dc371ba33a 100644 --- a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md +++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md @@ -3,7 +3,6 @@ title: EnterpriseExtFileSystem DDF description: EnterpriseExtFileSystem DDF ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 5e7751a410..23fea75c17 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -3,7 +3,6 @@ title: EnterpriseModernAppManagement CSP description: EnterpriseModernAppManagement CSP ms.assetid: 9DD0741A-A229-41A0-A85A-93E185207C42 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index f2dce30cd5..4da9c4b384 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -3,7 +3,6 @@ title: EnterpriseModernAppManagement DDF description: EnterpriseModernAppManagement DDF ms.assetid: ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index 64ff62cdc7..74d0c2cb31 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -3,7 +3,6 @@ title: EnterpriseModernAppManagement XSD description: Here is the XSD for the application parameters. ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 18b1e418df..4855aaefd7 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -3,7 +3,6 @@ title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. ms.assetid: 049ECA6E-1AF5-4CB2-8F1C-A5F22D722DAA ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 72a0d80c39..7b22236bf3 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -3,7 +3,6 @@ title: FileSystem CSP description: FileSystem CSP ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md new file mode 100644 index 0000000000..34913158a8 --- /dev/null +++ b/windows/client-management/mdm/firewall-csp.md @@ -0,0 +1,280 @@ +--- +title: Firewall CSP +description: Firewall CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Firewall CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage both domain joined and non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10. + +Firewall configuration commands must be wrapped in an Atomic block in SyncML. + +The following diagram shows the Firewall configuration service provider in tree format. + +![firewall csp](images/provisioning-csp-firewall.png) + +**./Vendor/MSFT/Firewall** +

Root node for the Firewall configuration service provider.

+ +**MdmStore** +

Interior node.

+

Supported operation is Get.

+ +**MdmStore/Global** +

Interior node.

+

Supported operations are Get and Replace.

+ +**MdmStore/Global/PolicyVersionSupported** +

DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.

+

Value type in integer. Supported operation is Get.

+ +**MdmStore/Global/CurrentProfiles** +

DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

+

Value type in integer. Supported operation is Get.

+ +**MdmStore/Global/DisableStatefulFtp** +

This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.

+

Boolean value. Supported operations are Get and Replace.

+ +**MdmStore/Global/SaIdleTime** +

This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/TPresharedKeyEncodingBD** +

Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/IPsecExempt** +

This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/CRLcheck** +

This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/PolicyVersion** +

This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.

+

Value type is string. Supported operation is Get.

+ +**MdmStore/Global/BinaryVersionSupported** +

This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

+

Value type is string. Supported operation is Get.

+ +**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** +

This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

+

Boolean value. Supported operations are Get and Replace.

+ +**MdmStore/Global/EnablePacketQueue** +

This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/DomainProfile** +

Interior node. Supported operation is Get.

+ +**MdmStore/PrivateProfile** +

Interior node. Supported operation is Get.

+ +**MdmStore/PublicProfile** +

Interior node. Supported operation is Get.

+ +**/EnableFirewall** +

This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableStealthMode** +

This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/Shielded** +

This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableUnicastResponsesToMulticastBroadcast** +

This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableInboundNotifications** +

This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/AuthAppsAllowUserPrefMerge** +

This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/GlobalPortsAllowUserPrefMerge** +

This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/AllowLocalPolicyMerge** +

This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/AllowLocalIpsecPolicyMerge** +

This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DefaultOutboundAction** +

This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DefaultInboundAction** +

This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableStealthModeIpsecSecuredPacketExemption** +

This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**FirewallRules** +

A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

+ +**FirewallRules/_FirewallRuleName_** +

Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).

+ +**FirewallRules/_FirewallRuleName_/App** +

Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:

+
    +
  • PackageFamilyName
    • +
  • FilePath
    • +
  • FQBN
    • +
  • ServiceName
    • +
+

Supported operation is Get.

+ +**FirewallRules/_FirewallRuleName_/App/PackageFamilyName** +

This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/App/FilePath** +

This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/App/Fqbn** +

Fully Qualified Binary Name

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/App/ServiceName** +

This is a service name used in cases when a service, not an application, is sending or receiving traffic.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Protocol** +

0-255 number representing the ip protocol (TCP = 6, UDP = 17)

+

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/LocalPortRanges** +

Comma separated list of ranges. For example, 100-120,200,300-320.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/RemotePortRanges** +

Comma separated list of ranges, For example, 100-120,200,300-320.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/LocalAddressRanges** +

Comma separated list of local addresses covered by the rule. The default value is "\*". Valid tokens include:

+
    +
  • "\*" indicates any local address. If present, this must be the only token included.
    • +
  • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
    • +
  • A valid IPv6 address.
    • +
  • An IPv4 address range in the format of "start address - end address" with no spaces included.
    • +
  • An IPv6 address range in the format of "start address - end address" with no spaces included.
    • +
+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/RemoteAddressRanges** +

List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include:

+
    +
  • "\*" indicates any remote address. If present, this must be the only token included.
    • +
  • "Defaultgateway"
    • +
  • "DHCP"
    • +
  • "DNS"
    • +
  • "WINS"
    • +
  • "Intranet"
    • +
  • "RemoteCorpNetwork"
    • +
  • "Internet"
    • +
  • "PlayToRenderers"
    • +
  • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
    • +
  • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
    • +
  • A valid IPv6 address.
    • +
  • An IPv4 address range in the format of "start address - end address" with no spaces included.
    • +
  • An IPv6 address range in the format of "start address - end address" with no spaces included.
    • +
+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Description** +

Specifies the description of the rule.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Enabled** +

Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is disabled by default.

+

Boolean value. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules_FirewallRuleName_/Profiles** +

Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

+ +

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Action** +

Specifies the action for the rule.

+

Supported operation is Get.

+ +**FirewallRules/_FirewallRuleName_/Action/Type** +

Specifies the action the rule enforces. Supported values:

+
    +
  • 0 - Block
    • +
  • 1 - Allow
    • +
+

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Direction** +

Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:

+
    +
  • IN - the rule applies to inbound traffic.
    • +
  • OUT - the rule applies to outbound traffic.
    • +
  • If not specified, the default is IN.
    • +
+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/FirewallRuleName/InterfaceTypes** +

Comma separated list of interface types. Valid values:

+
    +
  • RemoteAccess
    • +
  • Wireless
    • +
  • MobileBroadband
    • +
  • All
    • +
+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes** +

List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/EdgeTraversal** +

Indicates whether edge traversal is enabled or disabled for this rule.

+

The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.

+

New rules have the EdgeTraversal property disabled by default.

+

Boolean value. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList** +

Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Status** +

Provides information about the specific verrsion of the rule in deployment for monitoring purposes.

+

Value type is string. Supported operation is Get.

+ +**FirewallRules/_FirewallRuleName_/FriendlyName** +

Specifies the friendly name of the rule. The string must not contain the "|" character.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Name** +

Name of the rule.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md new file mode 100644 index 0000000000..ced7194e3a --- /dev/null +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -0,0 +1,1815 @@ +--- +title: Firewall DDF file +description: Firewall DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Firewall CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **Firewall** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + +]> + + 1.2 + + Firewall + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + MdmStore + + + + + + + + + + + + + + + + + + + Global + + + + + + + + + + + + + + + + + + + + PolicyVersionSupported + + + + + This value is a DWORD containing the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build. + + + + + + + + + + + text/plain + + + + + CurrentProfiles + + + + + This value is a DWORD and contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. + + + + + + + + + + + text/plain + + + + + DisableStatefulFtp + + + + + + This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win. + + + + + + + + + + + text/plain + + + + + SaIdleTime + + + + + + This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + + + + + text/plain + + + + + PresharedKeyEncoding + + + + + + This configuration value specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + + + + + text/plain + + + + + IPsecExempt + + + + + + This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + + + + + text/plain + + + + + CRLcheck + + + + + + This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. + + + + + + + + + + + text/plain + + + + + PolicyVersion + + + + + This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law. + + + + + + + + + + + text/plain + + + + + BinaryVersionSupported + + + + + This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. + + + + + + + + + + + text/plain + + + + + OpportunisticallyMatchAuthSetPerKM + + + + + + This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they do not support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + + + + + text/plain + + + + + EnablePacketQueue + + + + + + This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding. + + + + + + + + + + + text/plain + + + + + + DomainProfile + + + + + + + + + + + + + + + + + + + EnableFirewall + + + + + + This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DisableStealthMode + + + + + + This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + Shielded + + + + + + This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + + + + + + + + + + + text/plain + + + + + DisableUnicastResponsesToMulticastBroadcast + + + + + + This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DisableInboundNotifications + + + + + + This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + AuthAppsAllowUserPrefMerge + + + + + + This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + GlobalPortsAllowUserPrefMerge + + + + + + This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + AllowLocalPolicyMerge + + + + + + This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + + + + + + + + + + + text/plain + + + + + AllowLocalIpsecPolicyMerge + + + + + + This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + + + + + + + + + + + text/plain + + + + + DefaultOutboundAction + + + + + + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DefaultInboundAction + + + + + + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DisableStealthModeIpsecSecuredPacketExemption + + + + + + This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + + + + + text/plain + + + + + + PrivateProfile + + + + + + + + + + + + + + + + + + + EnableFirewall + + + + + + This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DisableStealthMode + + + + + + This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + Shielded + + + + + + This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + + + + + + + + + + + text/plain + + + + + DisableUnicastResponsesToMulticastBroadcast + + + + + + This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DisableInboundNotifications + + + + + + This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + AuthAppsAllowUserPrefMerge + + + + + + This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + GlobalPortsAllowUserPrefMerge + + + + + + This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + AllowLocalPolicyMerge + + + + + + This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + + + + + + + + + + + text/plain + + + + + AllowLocalIpsecPolicyMerge + + + + + + This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + + + + + + + + + + + text/plain + + + + + DefaultOutboundAction + + + + + + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DefaultInboundAction + + + + + + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DisableStealthModeIpsecSecuredPacketExemption + + + + + + This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + + + + + text/plain + + + + + + PublicProfile + + + + + + + + + + + + + + + + + + + EnableFirewall + + + + + + This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DisableStealthMode + + + + + + This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + Shielded + + + + + + This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. + + + + + + + + + + + text/plain + + + + + DisableUnicastResponsesToMulticastBroadcast + + + + + + This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DisableInboundNotifications + + + + + + This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + AuthAppsAllowUserPrefMerge + + + + + + This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + GlobalPortsAllowUserPrefMerge + + + + + + This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + AllowLocalPolicyMerge + + + + + + This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + + + + + + + + + + + text/plain + + + + + AllowLocalIpsecPolicyMerge + + + + + + This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. + + + + + + + + + + + text/plain + + + + + DefaultOutboundAction + + + + + + This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DefaultInboundAction + + + + + + This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. + + + + + + + + + + + text/plain + + + + + DisableStealthModeIpsecSecuredPacketExemption + + + + + + This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. + + + + + + + + + + + text/plain + + + + + + FirewallRules + + + + + A list of rules controlling traffic through the Windows Firewall. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed. + + + + + + + + + + + + + + + + + + + + + + Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). + + + + + + + + + + FirewallRuleName + + + + + + App + + + + + Rules that control connections for an app, program or service. + +Specified based on the intersection of the following nodes. + +PackageFamilyName +FilePath +FQBN +ServiceName + + + + + + + + + + + + + + + PackageFamilyName + + + + + + + + PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application. + + + + + + + + + + + text/plain + + + + + FilePath + + + + + + + + FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. + + + + + + + + + + + text/plain + + + + + Fqbn + + + + + + + + Fully Qualified Binary Name + + + + + + + + + + + text/plain + + + + + ServiceName + + + + + + + + This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic. + + + + + + + + + + + text/plain + + + + + + Protocol + + + + + + + + 0-255 number representing the ip protocol (TCP = 6, UDP = 17) + + + + + + + + + + + text/plain + + + + + LocalPortRanges + + + + + + + + Comma Separated list of ranges for eg. 100-120,200,300-320 + + + + + + + + + + + text/plain + + + + + RemotePortRanges + + + + + + + + Comma Separated list of ranges for eg. 100-120,200,300-320 + + + + + + + + + + + text/plain + + + + + LocalAddressRanges + + + + + + + + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. +Valid tokens include: +"*" indicates any local address. If present, this must be the only token included. + +A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +A valid IPv6 address. +An IPv4 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. + + + + + + + + + + + text/plain + + + + + RemoteAddressRanges + + + + + + + + Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: +"*" indicates any remote address. If present, this must be the only token included. +"Defaultgateway" +"DHCP" +"DNS" +"WINS" +"Intranet" +"RemoteCorpNetwork" +"Internet" +"PlayToRenderers" +"LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive. +A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. +A valid IPv6 address. +An IPv4 address range in the format of "start address - end address" with no spaces included. +An IPv6 address range in the format of "start address - end address" with no spaces included. + + + + + + + + + + + text/plain + + + + + Description + + + + + + + + Specifies the description of the rule. + + + + + + + + + + + text/plain + + + + + Enabled + + + + + + + + Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is disabled by default. + + + + + + + + + + + text/plain + + + + + Profiles + + + + + + + + Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. + + + + + + + + + + + text/plain + + + + + Action + + + + + Specifies the action for the rule. + +BLOCK - block the connection. +ALLOW - allow the connection. + + +If not specified the default action is BLOCK. + + + + + + + + + + + + + + + Type + + + + + + + + Specifies the action the rule enforces: +0 - Block +1 - Allow + + + + + + + + + + + text/plain + + + + + + Direction + + + + + + + + Comma separated list. The rule is enabled based on the traffic direction as following. + +IN - the rule applies to inbound traffic. +OUT - the rule applies to outbound traffic. + +If not specified the detault is IN. + + + + + + + + + + + text/plain + + + + + InterfaceTypes + + + + + + + + String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MobileBroadband", and "All". + If more than one interface type is specified, the strings must be separated by a comma. + + + + + + + + + + + text/plain + + + + + IcmpTypesAndCodes + + + + + + + + The icmpTypesAndCodes parameter is a list of ICMP types and codes separated by semicolon. "*" indicates all ICMP types and codes. + + + + + + + + + + + text/plain + + + + + EdgeTraversal + + + + + + + + Indicates whether edge traversal is enabled or disabled for this rule. + +The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. + +New rules have the EdgeTraversal property disabled by default. + + + + + + + + + + + + text/plain + + + + + LocalUserAuthorizedList + + + + + + + + Specifies the list of authorized local users for the app container. +This is a string in Security Descriptor Definition Language (SDDL) format.. + + + + + + + + + + + text/plain + + + + + Status + + + + + Provides information about the specific verrsion of the rule in deployment for monitoring purposes. + + + + + + + + + + + text/plain + + + + + FriendlyName + + + + + + + + Specifies the friendly name of the rule. +The string must not contain the "|" character. + + + + + + + + + + + text/plain + + + + + Name + + + + + + + + + + + + + + + + + + text/plain + + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md index 2be87cb41d..405f3c7a29 100644 --- a/windows/client-management/mdm/get-inventory.md +++ b/windows/client-management/mdm/get-inventory.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.get\_inventory' ms.assetid: C5485722-FC49-4358-A097-74169B204E74 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index 3f87c9c092..16f29cb848 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -3,7 +3,6 @@ title: Get localized product details description: The Get localized product details operation retrieves the localization information of a product from the Windows Store for Business. ms.assetid: EF6AFCA9-8699-46C9-A3BB-CD2750C07901 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index 01c44096e8..cf3a27b38c 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -3,7 +3,6 @@ title: Get offline license description: The Get offline license operation retrieves the offline license information of a product from the Windows Store for Business. ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index 9f87e48838..c602332f9b 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -3,7 +3,6 @@ title: Get product details description: The Get product details operation retrieves the product information from the Windows Store for Business for a specific application. ms.assetid: BC432EBA-CE5E-43BD-BD54-942774767286 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index 6718e5cedb..ef80b65d3b 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -3,7 +3,6 @@ title: Get product package description: The Get product package operation retrieves the information about a specific application in the Windows Store for Business. ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md index 1690307eca..24d354e7c2 100644 --- a/windows/client-management/mdm/get-product-packages.md +++ b/windows/client-management/mdm/get-product-packages.md @@ -3,7 +3,6 @@ title: Get product packages description: The Get product packages operation retrieves the information about applications in the Windows Store for Business. ms.assetid: 039468BF-B9EE-4E1C-810C-9ACDD55C0835 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index d9c12d98bc..301be7db93 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -3,7 +3,6 @@ title: Get seat description: The Get seat operation retrieves the information about an active seat for a specified user in the Windows Store for Business. ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md index 07b1d29ee9..77e13c0706 100644 --- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -3,7 +3,6 @@ title: Get seats assigned to a user description: The Get seats assigned to a user operation retrieves information about assigned seats in the Windows Store for Business. ms.assetid: CB963E44-8C7C-46F9-A979-89BBB376172B ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index 61bfe35194..1e5fbe93dd 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -3,7 +3,6 @@ title: Get seats description: The Get seats operation retrieves the information about active seats in the Windows Store for Business. ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 7c80ef299d..fb44d96773 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -3,7 +3,6 @@ title: Device HealthAttestation CSP description: Device HealthAttestation CSP ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 5fdb147167..f3e857ee6f 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -3,7 +3,6 @@ title: HealthAttestation DDF description: HealthAttestation DDF ms.assetid: D20AC78D-D2D4-434B-B9FD-294BCD9D1DDE ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 20a0b80e4a..181c625ca6 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -3,7 +3,6 @@ title: HotSpot CSP description: HotSpot CSP ms.assetid: ec49dec1-fa79-420a-a9a7-e86668b3eebf ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/iconfigserviceprovider2.md b/windows/client-management/mdm/iconfigserviceprovider2.md index c58afbeff1..be59397ff3 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2.md +++ b/windows/client-management/mdm/iconfigserviceprovider2.md @@ -3,7 +3,6 @@ title: IConfigServiceProvider2 description: IConfigServiceProvider2 ms.assetid: 8deec0fb-59a6-4d08-8ddb-6d0d3d868a10 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md index 59962fc70c..2d72418a32 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md +++ b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md @@ -3,7 +3,6 @@ title: IConfigServiceProvider2 ConfigManagerNotification description: IConfigServiceProvider2 ConfigManagerNotification ms.assetid: b1f0fe0f-afbe-4b36-a75d-34239a86a75c ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/iconfigserviceprovider2getnode.md b/windows/client-management/mdm/iconfigserviceprovider2getnode.md index c1f7bcba4e..d9efa4d469 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2getnode.md +++ b/windows/client-management/mdm/iconfigserviceprovider2getnode.md @@ -3,7 +3,6 @@ title: IConfigServiceProvider2 GetNode description: IConfigServiceProvider2 GetNode ms.assetid: 4dc10a59-f6a2-45c0-927c-d594afc9bb91 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnode.md b/windows/client-management/mdm/icspnode.md index 4ce519b21b..5da7ad4b29 100644 --- a/windows/client-management/mdm/icspnode.md +++ b/windows/client-management/mdm/icspnode.md @@ -3,7 +3,6 @@ title: ICSPNode description: ICSPNode ms.assetid: 023466e6-a8ab-48ad-8548-291409686ac2 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodeadd.md b/windows/client-management/mdm/icspnodeadd.md index 64b2f077f6..20be80123e 100644 --- a/windows/client-management/mdm/icspnodeadd.md +++ b/windows/client-management/mdm/icspnodeadd.md @@ -3,7 +3,6 @@ title: ICSPNode Add description: ICSPNode Add ms.assetid: 5f03d350-c82b-4747-975f-385fd8b5b3a8 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodeclear.md b/windows/client-management/mdm/icspnodeclear.md index da5f4df092..5c0f660fa3 100644 --- a/windows/client-management/mdm/icspnodeclear.md +++ b/windows/client-management/mdm/icspnodeclear.md @@ -3,7 +3,6 @@ title: ICSPNode Clear description: ICSPNode Clear ms.assetid: b414498b-110a-472d-95c0-2d5b38cd78a6 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodecopy.md b/windows/client-management/mdm/icspnodecopy.md index 5bdf14bd69..cf113766b6 100644 --- a/windows/client-management/mdm/icspnodecopy.md +++ b/windows/client-management/mdm/icspnodecopy.md @@ -3,7 +3,6 @@ title: ICSPNode Copy description: ICSPNode Copy ms.assetid: cd5ce0bc-a08b-4f82-802d-c7ff8701b41f ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodedeletechild.md b/windows/client-management/mdm/icspnodedeletechild.md index 18ddc273d3..686df037ea 100644 --- a/windows/client-management/mdm/icspnodedeletechild.md +++ b/windows/client-management/mdm/icspnodedeletechild.md @@ -3,7 +3,6 @@ title: ICSPNode DeleteChild description: ICSPNode DeleteChild ms.assetid: 8cf3663d-a4cf-4d11-b03a-f1d096ad7f9c ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodedeleteproperty.md b/windows/client-management/mdm/icspnodedeleteproperty.md index 05f421060d..74126c9679 100644 --- a/windows/client-management/mdm/icspnodedeleteproperty.md +++ b/windows/client-management/mdm/icspnodedeleteproperty.md @@ -3,7 +3,6 @@ title: ICSPNode DeleteProperty description: ICSPNode DeleteProperty ms.assetid: 7e21851f-d663-4558-b3e8-590d24b4f6c4 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodeexecute.md b/windows/client-management/mdm/icspnodeexecute.md index 1e7fbb3ae0..ef2c4dfa1a 100644 --- a/windows/client-management/mdm/icspnodeexecute.md +++ b/windows/client-management/mdm/icspnodeexecute.md @@ -3,7 +3,6 @@ title: ICSPNode Execute description: ICSPNode Execute ms.assetid: 5916e7b7-256d-49fd-82b6-db0547a215ec ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodegetchildnodenames.md b/windows/client-management/mdm/icspnodegetchildnodenames.md index 2dcb4fe039..aa63ca5b8e 100644 --- a/windows/client-management/mdm/icspnodegetchildnodenames.md +++ b/windows/client-management/mdm/icspnodegetchildnodenames.md @@ -3,7 +3,6 @@ title: ICSPNode GetChildNodeNames description: ICSPNode GetChildNodeNames ms.assetid: dc057f2b-282b-49ac-91c4-bb83bd3ca4dc ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodegetproperty.md b/windows/client-management/mdm/icspnodegetproperty.md index d5d7f34557..673d9e8e15 100644 --- a/windows/client-management/mdm/icspnodegetproperty.md +++ b/windows/client-management/mdm/icspnodegetproperty.md @@ -3,7 +3,6 @@ title: ICSPNode GetProperty description: ICSPNode GetProperty ms.assetid: a2bdc158-72e0-4cdb-97ce-f5cf1a44b7db ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md index 10bdea1042..55fabbe552 100644 --- a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md +++ b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md @@ -3,7 +3,6 @@ title: ICSPNode GetPropertyIdentifiers description: ICSPNode GetPropertyIdentifiers ms.assetid: 8a052cd3-d74c-40c4-845f-f804b920deb4 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodegetvalue.md b/windows/client-management/mdm/icspnodegetvalue.md index 89fa1faf28..fe58b75211 100644 --- a/windows/client-management/mdm/icspnodegetvalue.md +++ b/windows/client-management/mdm/icspnodegetvalue.md @@ -3,7 +3,6 @@ title: ICSPNode GetValue description: ICSPNode GetValue ms.assetid: c684036d-98be-4659-8ce8-f72436a39b90 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodemove.md b/windows/client-management/mdm/icspnodemove.md index 20281324d7..53c5047934 100644 --- a/windows/client-management/mdm/icspnodemove.md +++ b/windows/client-management/mdm/icspnodemove.md @@ -3,7 +3,6 @@ title: ICSPNode Move description: ICSPNode Move ms.assetid: efb359c3-5c86-4975-bf6f-a1c33922442a ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodesetproperty.md b/windows/client-management/mdm/icspnodesetproperty.md index bd5143f4de..daae584a37 100644 --- a/windows/client-management/mdm/icspnodesetproperty.md +++ b/windows/client-management/mdm/icspnodesetproperty.md @@ -3,7 +3,6 @@ title: ICSPNode SetProperty description: ICSPNode SetProperty ms.assetid: e235c38f-ea04-4cd8-adec-3c6c0ce7172d ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodesetvalue.md b/windows/client-management/mdm/icspnodesetvalue.md index cd5785e4bd..ccb5ff6c76 100644 --- a/windows/client-management/mdm/icspnodesetvalue.md +++ b/windows/client-management/mdm/icspnodesetvalue.md @@ -3,7 +3,6 @@ title: ICSPNode SetValue description: ICSPNode SetValue ms.assetid: b218636d-fe8b-4a0f-b4e8-a621f65619d3 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspnodetransactioning.md b/windows/client-management/mdm/icspnodetransactioning.md index 6308948025..536708cb7d 100644 --- a/windows/client-management/mdm/icspnodetransactioning.md +++ b/windows/client-management/mdm/icspnodetransactioning.md @@ -3,7 +3,6 @@ title: ICSPNodeTransactioning description: ICSPNodeTransactioning ms.assetid: 24dc518a-4a8d-41fe-9bc6-217bbbdf6a3f ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/icspvalidate.md b/windows/client-management/mdm/icspvalidate.md index 1648c42f5a..42828da848 100644 --- a/windows/client-management/mdm/icspvalidate.md +++ b/windows/client-management/mdm/icspvalidate.md @@ -3,7 +3,6 @@ title: ICSPValidate description: ICSPValidate ms.assetid: b0993f2d-6269-412f-a329-af25fff34ca2 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/images/provisioning-csp-firewall.png b/windows/client-management/mdm/images/provisioning-csp-firewall.png new file mode 100644 index 0000000000..f31e4c749d Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-firewall.png differ diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 06eb57e279..904aabcc23 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -2,7 +2,6 @@ title: Implement server-side support for mobile application management on Windows description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP). ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 173cf86c99..70a844c704 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index b4ad497c56..98510df8a0 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' ms.assetid: 0E39AE85-1703-4B24-9A7F-831C6455068F ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/maps-csp.md b/windows/client-management/mdm/maps-csp.md index 3f0bed753c..7a5f26f5ef 100644 --- a/windows/client-management/mdm/maps-csp.md +++ b/windows/client-management/mdm/maps-csp.md @@ -3,7 +3,6 @@ title: Maps CSP description: The Maps configuration service provider (CSP) is used to configure the maps to download to the device. This CSP was added in Windows 10, version 1511. ms.assetid: E5157296-7C31-4B08-8877-15304C9F6F26 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/maps-ddf-file.md b/windows/client-management/mdm/maps-ddf-file.md index a1156b2618..e91dbca47e 100644 --- a/windows/client-management/mdm/maps-ddf-file.md +++ b/windows/client-management/mdm/maps-ddf-file.md @@ -3,7 +3,6 @@ title: Maps DDF file description: This topic shows the OMA DM device description framework (DDF) for the Maps configuration service provider. This CSP was added in Windows 10, version 1511. ms.assetid: EF22DBB6-0578-4FD0-B8A6-19DC03288FAF ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 4f0cc46430..c2896dd7cd 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' ms.assetid: 4651C81B-D2D6-446A-AA24-04D01C1D0883 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index c84b5cc009..25454c6580 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -2,7 +2,6 @@ title: Messaging CSP description: Messaging CSP ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/messaging-ddf.md b/windows/client-management/mdm/messaging-ddf.md index ba5f12b63a..8a3d8d7e7d 100644 --- a/windows/client-management/mdm/messaging-ddf.md +++ b/windows/client-management/mdm/messaging-ddf.md @@ -2,7 +2,6 @@ title: Messaging DDF file description: Messaging DDF file ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 8f67a3e7b8..e0a4d74fa3 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -3,7 +3,6 @@ title: Mobile device enrollment description: Mobile device enrollment is the first phase of enterprise management. ms.assetid: 08C8B3DB-3263-414B-A368-F47B94F47A11 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index 65bc7017dc..d62bf09a6c 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -3,7 +3,6 @@ title: NAP CSP description: NAP CSP ms.assetid: 82f04492-88a6-4afd-af10-a62b8d444d21 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 8718057cc1..0019bd057b 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -3,7 +3,6 @@ title: NAPDEF CSP description: NAPDEF CSP ms.assetid: 9bcc65dd-a72b-4f90-aba7-4066daa06988 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index cb4a549114..2e9efd2de6 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -2,7 +2,6 @@ title: NetworkProxy CSP description: NetworkProxy CSP ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index 2976ff5cab..6657bc67ee 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -2,7 +2,6 @@ title: NetworkProxy DDF file description: AppNetworkProxyLocker DDF file ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index f8abe4b126..eb09ca2909 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -2,7 +2,6 @@ title: NetworkQoSPolicy CSP description: he NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index 5d91c70be0..e22f1a5ac3 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -3,7 +3,6 @@ title: NetworkQoSPolicy DDF description: This topic shows the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 13071b0644..9992411f6a 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' ms.assetid: 9C42064F-091C-4901-BC73-9ABE79EE4224 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows @@ -851,6 +850,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s

Added a section describing SyncML examples of various ADMX elements.

+[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) +New topic. + + [Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)

Added a new topic describing how to deploy and configure App-V apps using MDM.

@@ -881,6 +884,14 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Ownership
    • + +MDM support for Windows 10 S +

    Updated the following topics to indicate MDM support in Windows 10 S.

    +
      +
    • [Configuration service provider reference](configuration-service-provider-reference.md)
      • +
    • [Policy CSP](policy-configuration-service-provider.md)
      • +
    +   @@ -1151,6 +1162,38 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### June 2017 + + ++++ + + + + + + + + + + + + + + + +
    New or updated topicDescription
    [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)Added a list of registry locations that ingested policies are allowed to write to.
    [Firewall CSP](firewall-csp.md)Added the following nodes: +
      +
    • Profiles
      • +
    • Direction
      • +
    • InterfaceTypes
      • +
    • EdgeTraversal
      • +
    • Status
      • +
    +Also Added [Firewall DDF file](firewall-ddf-file.md).
    + ### May 2017 @@ -1209,7 +1252,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • EnterpriseDataProtection/RetrieveByCount/Type
    • - + + + + + + +
    [Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)

    Added following deep link parameters to the table:

      @@ -1221,6 +1264,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • Ownership
    [Firewall CSP](firewall-csp.md)

    Added new CSP in the next major update to Windows 10.

    +
    MDM support for Windows 10 S

    Updated the following topics to indicate MDM support in Windows 10 S.

    +
      +
    • [Configuration service provider reference](configuration-service-provider-reference.md)
      • +
    • [Policy CSP](policy-configuration-service-provider.md)
      • +
    +
    diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index ec4b3e3070..66ec4f198b 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -3,7 +3,6 @@ title: NodeCache CSP description: NodeCache CSP ms.assetid: b4dd2b0d-79ef-42ac-ab5b-ee07b3097876 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index 7844bdb835..1d3eb141bc 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -3,7 +3,6 @@ title: NodeCache DDF file description: NodeCache DDF file ms.assetid: d7605098-12aa-4423-89ae-59624fa31236 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 3254a5fa75..ca215622b9 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -2,7 +2,6 @@ title: Office CSP description: The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device. This CSP was added in Windows 10, version 1703. ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 61baa13446..85f2f48531 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -3,7 +3,6 @@ title: Office DDF description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 812abafaf9..8ebb0eebf3 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -3,7 +3,6 @@ title: OMA DM protocol support description: OMA DM protocol support ms.assetid: e882aaae-447e-4bd4-9275-463824da4fa0 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index 6924b0c69b..2ecd4d724f 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -3,7 +3,6 @@ title: On-premise authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. ms.assetid: 626AC8B4-7575-4C41-8D59-185D607E3A47 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 1957d09682..8faa4ccb96 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -3,7 +3,6 @@ title: PassportForWork CSP description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). ms.assetid: 3BAE4827-5497-41EE-B47F-5C071ADB2C51 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index fba44913b5..e425bb220d 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -3,7 +3,6 @@ title: PassportForWork DDF description: This topic shows the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index d901a7127d..85c52cab60 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -2,7 +2,6 @@ title: Personalization CSP description: Personalization CSP ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index 1572c8759c..85d8ef7bb0 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -2,7 +2,6 @@ title: Personalization DDF file description: Personalization DDF file ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/policy-admx-backed.md b/windows/client-management/mdm/policy-admx-backed.md deleted file mode 100644 index 7cc49fb6cf..0000000000 --- a/windows/client-management/mdm/policy-admx-backed.md +++ /dev/null @@ -1,4033 +0,0 @@ ---- -title: Policy CSP - ADMX-backed policies -description: Policy CSP - ADMX-backed policies -ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F -ms.author: maricia -ms.date: 05/02/2017 -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: nickbrower ---- - -# Policy CSP - ADMX-backed policies - -The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. This reference topic targets only policies which are backed by ADMX. To understand the difference between traditional MDM and ADMX-backed policies please see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). - -## Table of ADMX-backed policies for Windows 10, version 1703. - -> [!IMPORTANT] -> To navigate the table horizontally, click on the table and then use the left and right scroll keys on your keyboard or use the scroll bar at the bottom of the table. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    MDM CSP setting path/nameGP english nameGP english category pathGP nameGP ADMX file name
    ActiveXControls/ApprovedInstallationSitesApproved Installation Sites for ActiveX ControlsWindows Components/ActiveX Installer ServiceApprovedActiveXInstallSitesActiveXInstallService.admx
    AppVirtualization/AllowAppVClientEnable App-V ClientSystem/App-VEnableAppVappv.admx
    AppVirtualization/AllowDynamicVirtualizationEnable Dynamic VirtualizationSystem/App-V/VirtualizationVirtualization_JITVEnableappv.admx
    AppVirtualization/AllowPackageCleanupEnable automatic cleanup of unused appv packagesSystem/App-V/Package ManagementPackageManagement_AutoCleanupEnableappv.admx
    AppVirtualization/AllowPackageScriptsEnable Package ScriptsSystem/App-V/ScriptingScripting_Enable_Package_Scriptsappv.admx
    AppVirtualization/AllowPublishingRefreshUXEnable Publishing Refresh UXSystem/App-V/PublishingEnable_Publishing_Refresh_UXappv.admx
    AppVirtualization/AllowReportingServerReporting ServerSystem/App-V/ReportingReporting_Server_Policyappv.admx
    AppVirtualization/AllowRoamingFileExclusionsRoaming File ExclusionsSystem/App-V/IntegrationIntegration_Roaming_File_Exclusionsappv.admx
    AppVirtualization/AllowRoamingRegistryExclusionsRoaming Registry ExclusionsSystem/App-V/IntegrationIntegration_Roaming_Registry_Exclusionsappv.admx
    AppVirtualization/AllowStreamingAutoloadSpecify what to load in background (aka AutoLoad)System/App-V/StreamingSteaming_Autoloadappv.admx
    AppVirtualization/ClientCoexistenceAllowMigrationmodeEnable Migration ModeSystem/App-V/Client CoexistenceClient_Coexistence_Enable_Migration_modeappv.admx
    AppVirtualization/IntegrationAllowRootGlobalIntegration Root UserSystem/App-V/IntegrationIntegration_Root_Userappv.admx
    AppVirtualization/IntegrationAllowRootUserIntegration Root GlobalSystem/App-V/IntegrationIntegration_Root_Globalappv.admx
    AppVirtualization/PublishingAllowServer1Publishing Server 1 SettingsSystem/App-V/PublishingPublishing_Server1_Policyappv.admx
    AppVirtualization/PublishingAllowServer2Publishing Server 2 SettingsSystem/App-V/PublishingPublishing_Server2_Policyappv.admx
    AppVirtualization/PublishingAllowServer3Publishing Server 3 SettingsSystem/App-V/PublishingPublishing_Server3_Policyappv.admx
    AppVirtualization/PublishingAllowServer4Publishing Server 4 SettingsSystem/App-V/PublishingPublishing_Server4_Policyappv.admx
    AppVirtualization/PublishingAllowServer5Publishing Server 5 SettingsSystem/App-V/PublishingPublishing_Server5_Policyappv.admx
    AppVirtualization/StreamingAllowCertificateFilterForClient_SSLCertificate Filter For Client SSLSystem/App-V/StreamingStreaming_Certificate_Filter_For_Client_SSLappv.admx
    AppVirtualization/StreamingAllowHighCostLaunchAllow First Time Application Launches if on a High Cost Windows 8 Metered ConnectionSystem/App-V/StreamingStreaming_Allow_High_Cost_Launchappv.admx
    AppVirtualization/StreamingAllowLocationProviderLocation ProviderSystem/App-V/StreamingStreaming_Location_Providerappv.admx
    AppVirtualization/StreamingAllowPackageInstallationRootPackage Installation RootSystem/App-V/StreamingStreaming_Package_Installation_Rootappv.admx
    AppVirtualization/StreamingAllowPackageSourceRootPackage Source RootSystem/App-V/StreamingStreaming_Package_Source_Rootappv.admx
    AppVirtualization/StreamingAllowReestablishmentIntervalReestablishment IntervalSystem/App-V/StreamingStreaming_Reestablishment_Intervalappv.admx
    AppVirtualization/StreamingAllowReestablishmentRetriesReestablishment RetriesSystem/App-V/StreamingStreaming_Reestablishment_Retriesappv.admx
    AppVirtualization/StreamingSharedContentStoreModeShared Content Store (SCS) modeSystem/App-V/StreamingStreaming_Shared_Content_Store_Modeappv.admx
    AppVirtualization/StreamingSupportBranchCacheEnable Support for BranchCacheSystem/App-V/StreamingStreaming_Support_Branch_Cacheappv.admx
    AppVirtualization/StreamingVerifyCertificateRevocationListVerify certificate revocation listSystem/App-V/StreamingStreaming_Verify_Certificate_Revocation_Listappv.admx
    AppVirtualization/VirtualComponentsAllowListVirtual Component Process Allow ListSystem/App-V/VirtualizationVirtualization_JITVAllowListappv.admx
    AttachmentManager/DoNotPreserveZoneInformationDo not preserve zone information in file attachmentsWindows Components/Attachment ManagerAM_MarkZoneOnSavedAtttachmentsAttachmentManager.admx
    AttachmentManager/HideZoneInfoMechanismHide mechanisms to remove zone informationWindows Components/Attachment ManagerAM_RemoveZoneInfoAttachmentManager.admx
    AttachmentManager/NotifyAntivirusProgramsNotify antivirus programs when opening attachmentsWindows Components/Attachment ManagerAM_CallIOfficeAntiVirusAttachmentManager.admx
    Autoplay/DisallowAutoplayForNonVolumeDevicesDisallow Autoplay for non-volume devicesWindows Components/AutoPlay PoliciesNoAutoplayfornonVolumeAutoPlay.admx
    Autoplay/SetDefaultAutoRunBehaviorSet the default behavior for AutoRunWindows Components/AutoPlay PoliciesNoAutorunAutoPlay.admx
    Autoplay/TurnOffAutoPlayTurn off AutoplayWindows Components/AutoPlay PoliciesAutorunAutoPlay.admx
    Connectivity/HardenedUNCPathsHardened UNC PathsNetwork/Network ProviderPol_HardenedPathsnetworkprovider.admx
    CredentialProviders/AllowPINLogonTurn on convenience PIN sign-inSystem/LogonAllowDomainPINLogoncredentialproviders.admx
    CredentialProviders/BlockPicturePasswordTurn off picture password sign-inSystem/LogonBlockDomainPicturePasswordcredentialproviders.admx
    CredentialsUI/DisablePasswordRevealDo not display the password reveal buttonWindows Components/Credential User InterfaceDisablePasswordRevealcredui.admx
    CredentialsUI/EnumerateAdministratorsEnumerate administrator accounts on elevationWindows Components/Credential User InterfaceEnumerateAdministratorscredui.admx
    DataUsage/SetCost3GSet 3G CostNetwork/WWAN Service/WWAN Media CostSetCost3Gwwansvc.admx
    DataUsage/SetCost4GSet 4G CostNetwork/WWAN Service/WWAN Media CostSetCost4Gwwansvc.admx
    Desktop/PreventUserRedirectionOfProfileFolders   desktop.admx
    DeviceInstallation/PreventInstallationOfMatchingDeviceIDsPrevent installation of devices that match any of these device IDsSystem/Device Installation/Device Installation RestrictionsDeviceInstall_IDs_Denydeviceinstallation.admx
    DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClassesPrevent installation of devices using drivers that match these device setup classesSystem/Device Installation/Device Installation RestrictionsDeviceInstall_Classes_Denydeviceinstallation.admx
    DeviceLock/PreventLockScreenSlideShow   ControlPanelDisplay.admx
    ErrorReporting/CustomizeConsentSettingsCustomize consent settingsWindows Components/Windows Error Reporting/ConsentWerConsentCustomize_2ErrorReporting.admx
    ErrorReporting/DisableWindowsErrorReportingDisable Windows Error ReportingWindows Components/Windows Error ReportingWerDisable_2ErrorReporting.admx
    ErrorReporting/DisplayErrorNotificationDisplay Error NotificationWindows Components/Windows Error ReportingPCH_ShowUIErrorReporting.admx
    ErrorReporting/DoNotSendAdditionalDataDo not send additional dataWindows Components/Windows Error ReportingWerNoSecondLevelData_2ErrorReporting.admx
    ErrorReporting/PreventCriticalErrorDisplayPrevent display of the user interface for critical errorsWindows Components/Windows Error ReportingWerDoNotShowUIErrorReporting.admx
    EventLogService/ControlEventLogBehaviorControl Event Log behavior when the log file reaches its maximum sizeWindows Components/Event Log Service/ApplicationChannel_Log_Retention_1eventlog.admx
    EventLogService/SpecifyMaximumFileSizeApplicationLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/ApplicationChannel_LogMaxSize_1eventlog.admx
    EventLogService/SpecifyMaximumFileSizeSecurityLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/SecurityChannel_LogMaxSize_2eventlog.admx
    EventLogService/SpecifyMaximumFileSizeSystemLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/SystemChannel_LogMaxSize_4eventlog.admx
    InternetExplorer/AddSearchProviderAdd a specific list of search providers to the user's list of search providersWindows Components/Internet ExplorerAddSearchProviderinetres.admx
    InternetExplorer/AllowActiveXFilteringTurn on ActiveX FilteringWindows Components/Internet ExplorerTurnOnActiveXFilteringinetres.admx
    InternetExplorer/AllowAddOnListAdd-on ListWindows Components/Internet Explorer/Security Features/Add-on ManagementAddonManagement_AddOnListinetres.admx
    InternetExplorer/AllowEnhancedProtectedModeTurn on Enhanced Protected ModeWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_EnableEnhancedProtectedModeinetres.admx
    InternetExplorer/AllowEnterpriseModeFromToolsMenuLet users turn on and use Enterprise Mode from the Tools menuWindows Components/Internet ExplorerEnterpriseModeEnableinetres.admx
    InternetExplorer/AllowEnterpriseModeSiteListUse the Enterprise Mode IE website listWindows Components/Internet ExplorerEnterpriseModeSiteListinetres.admx
    InternetExplorer/AllowInternetExplorer7PolicyList Use Policy List of Internet Explorer 7 sitesCompatView_UsePolicyListinetres.admx
    InternetExplorer/AllowInternetExplorerStandardsModeTurn on Internet Explorer Standards Mode for local intranetWindows Components/Internet Explorer/Compatibility ViewCompatView_IntranetSitesinetres.admx
    InternetExplorer/AllowInternetZoneTemplateInternet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyInternetZoneTemplateinetres.admx
    InternetExplorer/AllowIntranetZoneTemplateIntranet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyIntranetZoneTemplateinetres.admx
    InternetExplorer/AllowLocalMachineZoneTemplateLocal Machine Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyLocalMachineZoneTemplateinetres.admx
    InternetExplorer/AllowLockedDownInternetZoneTemplateLocked-Down Internet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyInternetZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowLockedDownIntranetZoneTemplateLocked-Down Intranet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyIntranetZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowLockedDownLocalMachineZoneTemplateLocked-Down Local Machine Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyLocalMachineZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplateLocked-Down Restricted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyRestrictedSitesZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowOneWordEntryGo to an intranet site for a one-word entry in the Address barWindows Components/Internet Explorer/Internet Settings/Advanced settings/BrowsingUseIntranetSiteForOneWordEntryinetres.admx
    InternetExplorer/AllowSiteToZoneAssignmentListSite to Zone Assignment ListWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_Zonemapsinetres.admx
    InternetExplorer/AllowSuggestedSitesTurn on Suggested SitesWindows Components/Internet ExplorerEnableSuggestedSitesinetres.admx
    InternetExplorer/AllowTrustedSitesZoneTemplateTrusted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyTrustedSitesZoneTemplateinetres.admx
    InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplateLocked-Down Trusted Sites Zone TemplateIZ_PolicyTrustedSitesZoneLockdownTemplateinetres.admx
    InternetExplorer/AllowsRestrictedSitesZoneTemplateRestricted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyRestrictedSitesZoneTemplateinetres.admx
    InternetExplorer/DisableAdobeFlashTurn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsWindows Components/Internet Explorer/Security Features/Add-on ManagementDisableFlashInIEinetres.admx
    InternetExplorer/DisableBypassOfSmartScreenWarnings   inetres.admx
    InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles   inetres.admx
    InternetExplorer/DisableCustomerExperienceImprovementProgramParticipationPrevent participation in the Customer Experience Improvement ProgramWindows Components/Internet ExplorerSQM_DisableCEIPinetres.admx
    InternetExplorer/DisableEnclosureDownloadingPrevent downloading of enclosuresWindows Components/RSS FeedsDisable_Downloading_of_Enclosuresinetres.admx
    InternetExplorer/DisableEncryptionSupportTurn off encryption supportWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_SetWinInetProtocolsinetres.admx
    InternetExplorer/DisableFirstRunWizardPrevent running First Run wizardWindows Components/Internet ExplorerNoFirstRunCustomiseinetres.admx
    InternetExplorer/DisableFlipAheadFeatureTurn off the flip ahead with page prediction featureWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_DisableFlipAheadinetres.admx
    InternetExplorer/DisableHomePageChangeDisable changing home page settingsWindows Components/Internet ExplorerRestrictHomePageinetres.admx
    InternetExplorer/DisableProxyChange   inetres.admx
    InternetExplorer/DisableSearchProviderChangePrevent changing the default search providerWindows Components/Internet ExplorerNoSearchProviderinetres.admx
    InternetExplorer/DisableSecondaryHomePageChangeDisable changing secondary home page settingsWindows Components/Internet ExplorerSecondaryHomePagesinetres.admx
    InternetExplorer/DisableUpdateCheck   inetres.admx
    InternetExplorer/DoNotAllowUsersToAddSites   inetres.admx
    InternetExplorer/DoNotAllowUsersToChangePolicies   inetres.admx
    InternetExplorer/DoNotBlockOutdatedActiveXControlsTurn off blocking of outdated ActiveX controls for Internet ExplorerWindows Components/Internet Explorer/Security Features/Add-on ManagementVerMgmtDisableinetres.admx
    InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomainsTurn off blocking of outdated ActiveX controls for Internet Explorer on specific domainsWindows Components/Internet Explorer/Security Features/Add-on ManagementVerMgmtDomainAllowlistinetres.admx
    InternetExplorer/IncludeAllLocalSitesIntranet Sites: Include all local (intranet) sites not listed in other zonesWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_IncludeUnspecifiedLocalSitesinetres.admx
    InternetExplorer/IncludeAllNetworkPathsIntranet Sites: Include all network paths (UNCs)Windows Components/Internet Explorer/Internet Control Panel/Security PageIZ_UNCAsIntranetinetres.admx
    InternetExplorer/InternetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_1inetres.admx
    InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNotificationBarActiveXURLaction_1inetres.admx
    InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNotificationBarDownloadURLaction_1inetres.admx
    InternetExplorer/InternetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyFontDownload_1inetres.admx
    InternetExplorer/InternetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyZoneElevationURLaction_1inetres.admx
    InternetExplorer/InternetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_1inetres.admx
    InternetExplorer/InternetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_Policy_AllowScriptlets_1inetres.admx
    InternetExplorer/InternetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_Policy_Phishing_1inetres.admx
    InternetExplorer/InternetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyUserdataPersistence_1inetres.admx
    InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_1inetres.admx
    InternetExplorer/InternetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNavigateSubframesAcrossDomains_1inetres.admx
    InternetExplorer/IntranetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_3inetres.admx
    InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNotificationBarActiveXURLaction_3inetres.admx
    InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNotificationBarDownloadURLaction_3inetres.admx
    InternetExplorer/IntranetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyFontDownload_3inetres.admx
    InternetExplorer/IntranetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyZoneElevationURLaction_3inetres.admx
    InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_3inetres.admx
    InternetExplorer/IntranetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_Policy_AllowScriptlets_3inetres.admx
    InternetExplorer/IntranetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_Policy_Phishing_3inetres.admx
    InternetExplorer/IntranetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyUserdataPersistence_3inetres.admx
    InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_3inetres.admx
    InternetExplorer/IntranetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNavigateSubframesAcrossDomains_3inetres.admx
    InternetExplorer/LocalMachineZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyAccessDataSourcesAcrossDomains_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNotificationBarActiveXURLaction_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNotificationBarDownloadURLaction_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyFontDownload_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyZoneElevationURLaction_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_Policy_AllowScriptlets_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_Policy_Phishing_9inetres.admx
    InternetExplorer/LocalMachineZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyUserdataPersistence_9inetres.admx
    InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyScriptActiveXNotMarkedSafe_9inetres.admx
    InternetExplorer/LocalMachineZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNavigateSubframesAcrossDomains_9inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNotificationBarActiveXURLaction_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNotificationBarDownloadURLaction_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyFontDownload_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyZoneElevationURLaction_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_Policy_AllowScriptlets_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_Policy_Phishing_2inetres.admx
    InternetExplorer/LockedDownInternetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyUserdataPersistence_2inetres.admx
    InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_2inetres.admx
    InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNavigateSubframesAcrossDomains_2inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNotificationBarActiveXURLaction_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNotificationBarDownloadURLaction_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyFontDownload_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyZoneElevationURLaction_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_Policy_AllowScriptlets_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_Policy_Phishing_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyUserdataPersistence_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_4inetres.admx
    InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNavigateSubframesAcrossDomains_4inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyAccessDataSourcesAcrossDomains_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNotificationBarActiveXURLaction_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNotificationBarDownloadURLaction_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyFontDownload_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyZoneElevationURLaction_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_Policy_AllowScriptlets_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_Policy_Phishing_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyUserdataPersistence_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyScriptActiveXNotMarkedSafe_10inetres.admx
    InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNavigateSubframesAcrossDomains_10inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyFontDownload_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyZoneElevationURLaction_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_Policy_AllowScriptlets_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_Policy_Phishing_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyUserdataPersistence_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_8inetres.admx
    InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_8inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyFontDownload_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyZoneElevationURLaction_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_Policy_AllowScriptlets_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_Policy_Phishing_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyUserdataPersistence_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_6inetres.admx
    InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_6inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyFontDownload_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyZoneElevationURLaction_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_Policy_AllowScriptlets_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_Policy_Phishing_7inetres.admx
    InternetExplorer/RestrictedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyUserdataPersistence_7inetres.admx
    InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_7inetres.admx
    InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_7inetres.admx
    InternetExplorer/SearchProviderListRestrict search providers to a specific listWindows Components/Internet ExplorerSpecificSearchProviderinetres.admx
    InternetExplorer/TrustedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyFontDownload_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyZoneElevationURLaction_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_Policy_AllowScriptlets_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_Policy_Phishing_5inetres.admx
    InternetExplorer/TrustedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyUserdataPersistence_5inetres.admx
    InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_5inetres.admx
    InternetExplorer/TrustedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_5inetres.admx
    Kerberos/AllowForestSearchOrder ForestSearchKerberos.admx
    Kerberos/KerberosClientSupportsClaimsCompoundArmorKerberos client support for claims, compound authentication and Kerberos armoringSystem/KerberosEnableCbacAndArmorKerberos.admx
    Kerberos/RequireKerberosArmoringFail authentication requests when Kerberos armoring is not availableSystem/KerberosClientRequireFastKerberos.admx
    Kerberos/RequireStrictKDCValidationRequire strict KDC validationSystem/KerberosValidateKDCKerberos.admx
    Kerberos/SetMaximumContextTokenSizeSet maximum Kerberos SSPI context token buffer sizeSystem/KerberosMaxTokenSizeKerberos.admx
    Power/AllowStandbyWhenSleepingPluggedInAllow standby states (S1-S3) when sleeping (plugged in)System/Power Management/Sleep SettingsAllowStandbyStatesAC_2power.admx
    Power/RequirePasswordWhenComputerWakesOnBatteryRequire a password when a computer wakes (on battery)System/Power Management/Sleep SettingsDCPromptForPasswordOnResume_2power.admx
    Power/RequirePasswordWhenComputerWakesPluggedInRequire a password when a computer wakes (plugged in)System/Power Management/Sleep SettingsACPromptForPasswordOnResume_2power.admx
    Printers/PointAndPrintRestrictionsPoint and Print RestrictionsPrintersPointAndPrint_Restrictions_Win7Printing.admx
    Printers/PointAndPrintRestrictions_UserPoint and Print RestrictionsPointAndPrint_RestrictionsPrinting.admx
    Printers/PublishPrintersAllow printers to be publishedPrintersPublishPrintersPrinting2.admx
    RemoteAssistance/CustomizeWarningMessagesCustomize warning messagesSystem/Remote AssistanceRA_Optionsremoteassistance.admx
    RemoteAssistance/SessionLoggingTurn on session loggingSystem/Remote AssistanceRA_Loggingremoteassistance.admx
    RemoteAssistance/SolicitedRemoteAssistanceConfigure Solicited Remote AssistanceSystem/Remote AssistanceRA_Solicitremoteassistance.admx
    RemoteAssistance/UnsolicitedRemoteAssistanceConfigure Offer Remote AssistanceRA_Unsolicitremoteassistance.admx
    RemoteDesktopServices/AllowUsersToConnectRemotelyAllow users to connect remotely by using Remote Desktop ServicesWindows Components/Remote Desktop Services/Remote Desktop Session Host/ConnectionsTS_DISABLE_CONNECTIONSterminalserver.admx
    RemoteDesktopServices/ClientConnectionEncryptionLevelSet client connection encryption levelWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_ENCRYPTION_POLICYterminalserver.admx
    RemoteDesktopServices/DoNotAllowDriveRedirectionDo not allow drive redirectionWindows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource RedirectionTS_CLIENT_DRIVE_Mterminalserver.admx
    RemoteDesktopServices/DoNotAllowPasswordSavingDo not allow passwords to be savedWindows Components/Remote Desktop Services/Remote Desktop Connection ClientTS_CLIENT_DISABLE_PASSWORD_SAVING_2terminalserver.admx
    RemoteDesktopServices/PromptForPasswordUponConnectionAlways prompt for password upon connectionWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_PASSWORDterminalserver.admx
    RemoteDesktopServices/RequireSecureRPCCommunicationRequire secure RPC communicationWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_RPC_ENCRYPTIONterminalserver.admx
    RemoteProcedureCall/RPCEndpointMapperClientAuthenticationEnable RPC Endpoint Mapper Client AuthenticationSystem/Remote Procedure CallRpcEnableAuthEpResolutionrpc.admx
    RemoteProcedureCall/RestrictUnauthenticatedRPCClientsRestrict Unauthenticated RPC clientsSystem/Remote Procedure CallRpcRestrictRemoteClientsrpc.admx
    Storage/EnhancedStorageDevicesDo not allow Windows to activate Enhanced Storage devicesSystem/Enhanced Storage AccessTCGSecurityActivationDisabledenhancedstorage.admx
    System/BootStartDriverInitializationBoot-Start Driver Initialization PolicySystem/Early Launch AntimalwarePOL_DriverLoadPolicy_Nameearlylauncham.admx
    System/DisableSystemRestoreTurn off System RestoreSystem/System RestoreSR_DisableSRsystemrestore.admx
    WindowsLogon/DisableLockScreenAppNotificationsTurn off app notifications on the lock screenSystem/LogonDisableLockScreenAppNotificationslogon.admx
    WindowsLogon/DontDisplayNetworkSelectionUIDo not display network selection UISystem/LogonDontDisplayNetworkSelectionUIlogon.admx
    - - -## List of <AreaName>/<PolicyName> - - -**ActiveXControls/ApprovedInstallationSites** - -

    This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.

    - -

    If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. - -If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.

    - -

    Note: Wild card characters cannot be used when specifying the host URLs. -

    - -**AppVirtualization/AllowAppVClient** - -

    This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.

    - -**AppVirtualization/AllowDynamicVirtualization** - -

    Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.

    - -**AppVirtualization/AllowPackageCleanup** - -

    N/A

    - -**AppVirtualization/AllowPackageScripts** - -

    Enables scripts defined in the package manifest of configuration files that should run.

    - -**AppVirtualization/AllowPublishingRefreshUX** - -

    Enables a UX to display to the user when a publishing refresh is performed on the client.

    - -**AppVirtualization/AllowReportingServer** - -

    Reporting Server URL: Displays the URL of reporting server.

    - -

    Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. - - Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. - - Repeat reporting for every (days): The periodical interval in days for sending the reporting data. - - Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.

    - -

    Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. -

    - -**AppVirtualization/AllowRoamingFileExclusions** - -

    Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.

    - -**AppVirtualization/AllowRoamingRegistryExclusions** - -

    Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.

    - -**AppVirtualization/AllowStreamingAutoload** - -

    Specifies how new packages should be loaded automatically by App-V on a specific computer.

    - -**AppVirtualization/ClientCoexistenceAllowMigrationmode** - -

    Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.

    - -**AppVirtualization/IntegrationAllowRootGlobal** - -

    Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.

    - -**AppVirtualization/IntegrationAllowRootUser** - -

    Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.

    - -**AppVirtualization/PublishingAllowServer1** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/PublishingAllowServer2** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/PublishingAllowServer3** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/PublishingAllowServer4** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/PublishingAllowServer5** - -

    Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -

    - -**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** - -

    Specifies the path to a valid certificate in the certificate store.

    - -**AppVirtualization/StreamingAllowHighCostLaunch** - -

    This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).

    - -**AppVirtualization/StreamingAllowLocationProvider** - -

    Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.

    - -**AppVirtualization/StreamingAllowPackageInstallationRoot** - -

    Specifies directory where all new applications and updates will be installed.

    - -**AppVirtualization/StreamingAllowPackageSourceRoot** - -

    Overrides source location for downloading package content.

    - -**AppVirtualization/StreamingAllowReestablishmentInterval** - -

    Specifies the number of seconds between attempts to reestablish a dropped session.

    - -**AppVirtualization/StreamingAllowReestablishmentRetries** - -

    Specifies the number of times to retry a dropped session.

    - -**AppVirtualization/StreamingSharedContentStoreMode** - -

    Specifies that streamed package contents will be not be saved to the local hard disk.

    - -**AppVirtualization/StreamingSupportBranchCache** - -

    If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache

    - -**AppVirtualization/StreamingVerifyCertificateRevocationList** - -

    Verifies Server certificate revocation status before streaming using HTTPS.

    - -**AppVirtualization/VirtualComponentsAllowList** - -

    Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.

    - -**AttachmentManager/DoNotPreserveZoneInformation** - -

    This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.

    - -

    If you enable this policy setting, Windows does not mark file attachments with their zone information.

    - -

    If you disable this policy setting, Windows marks file attachments with their zone information.

    - -

    If you do not configure this policy setting, Windows marks file attachments with their zone information.

    - -**AttachmentManager/HideZoneInfoMechanism** - -

    This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.

    - -

    If you enable this policy setting, Windows hides the check box and Unblock button.

    - -

    If you disable this policy setting, Windows shows the check box and Unblock button.

    - -

    If you do not configure this policy setting, Windows hides the check box and Unblock button.

    - -**AttachmentManager/NotifyAntivirusPrograms** - -

    This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.

    - -

    If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.

    - -

    If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.

    - -

    If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.

    - -**Autoplay/DisallowAutoplayForNonVolumeDevices** - -

    This policy setting disallows AutoPlay for MTP devices like cameras or phones.

    - -

    If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.

    - -

    If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.

    - -**Autoplay/SetDefaultAutoRunBehavior** - -

    This policy setting sets the default behavior for Autorun commands.

    - -

    Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.

    - -

    Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.

    - -

    This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.

    - -

    If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:

    - -

    a) Completely disable autorun commands, or - b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.

    - -

    If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.

    - -**Autoplay/TurnOffAutoPlay** - -

    This policy setting allows you to turn off the Autoplay feature.

    - -

    Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.

    - -

    Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.

    - -

    Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.

    - -

    If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.

    - -

    This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.

    - -

    If you disable or do not configure this policy setting, AutoPlay is enabled.

    - -

    Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.

    - -**Connectivity/HardenedUNCPaths** - -

    This policy setting configures secure access to UNC paths.

    - -

    If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. -

    - -**CredentialProviders/AllowPINLogon** - -

    This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.

    - -

    If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.

    - -

    If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.

    - -

    Note that the user's domain password will be cached in the system vault when using this feature.

    - -**CredentialProviders/BlockPicturePassword** - -

    This policy setting allows you to control whether a domain user can sign in using a picture password.

    - -

    If you enable this policy setting, a domain user can't set up or sign in with a picture password.

    - -

    If you disable or don't configure this policy setting, a domain user can set up and use a picture password.

    - -

    Note that the user's domain password will be cached in the system vault when using this feature.

    - -**CredentialsUI/DisablePasswordReveal** - -

    This policy setting allows you to configure the display of the password reveal button in password entry user experiences.

    - -

    If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.

    - -

    If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.

    - -

    By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.

    - -

    The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.

    - -**CredentialsUI/EnumerateAdministrators** - -

    This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.

    - -

    If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.

    - -

    If you disable this policy setting, users will always be required to type a user name and password to elevate.

    - -**DataUsage/SetCost3G** - -

    This policy setting configures the cost of 3G connections on the local machine.

    - -

    If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:

    - -

    - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.

    - -

    - Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.

    - -

    - Variable: This connection is costed on a per byte basis.

    - -

    If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. -

    - -**DataUsage/SetCost4G** - -

    This policy setting configures the cost of 4G connections on the local machine.

    - -

    If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:

    - -

    - Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.

    - -

    - Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.

    - -

    - Variable: This connection is costed on a per byte basis.

    - -

    If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. -

    - -**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** - -

    This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

    - -

    If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

    - -

    If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

    - -**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** - -

    This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. - -If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

    - -

    If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

    - -**ErrorReporting/CustomizeConsentSettings** - -

    This policy setting determines the consent behavior of Windows Error Reporting for specific event types.

    - -

    If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.

    - -

    - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.

    - -

    - 1 (Always ask before sending data): Windows prompts the user for consent to send reports.

    - -

    - 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.

    - -

    - 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.

    - -

    - 4 (Send all data): Any data requested by Microsoft is sent automatically.

    - -

    If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.

    - -**ErrorReporting/DisableWindowsErrorReporting** - -

    This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.

    - -

    If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.

    - -

    If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.

    - -**ErrorReporting/DisplayErrorNotification** - -

    This policy setting controls whether users are shown an error dialog box that lets them report an error.

    - -

    If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.

    - -

    If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.

    - -

    If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.

    - -

    See also the Configure Error Reporting policy setting.

    - -**ErrorReporting/DoNotSendAdditionalData** - -

    This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.

    - -

    If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.

    - -

    If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.

    - -**ErrorReporting/PreventCriticalErrorDisplay** - -

    This policy setting prevents the display of the user interface for critical errors.

    - -

    If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.

    - -

    If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.

    - -**EventLogService/ControlEventLogBehavior** - -

    This policy setting controls Event Log behavior when the log file reaches its maximum size.

    - -

    If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.

    - -

    If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.

    - -

    Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.

    - -**EventLogService/SpecifyMaximumFileSizeApplicationLog** - -

    This policy setting specifies the maximum size of the log file in kilobytes.

    - -

    If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

    - -

    If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

    - -**EventLogService/SpecifyMaximumFileSizeSecurityLog** - -

    This policy setting specifies the maximum size of the log file in kilobytes.

    - -

    If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

    - -

    If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

    - -**EventLogService/SpecifyMaximumFileSizeSystemLog** - -

    This policy setting specifies the maximum size of the log file in kilobytes.

    - -

    If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

    - -

    If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

    - -**InternetExplorer/AddSearchProvider** - -

    This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.

    - -

    If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

    - -

    If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.

    - -**InternetExplorer/AllowActiveXFiltering** - -

    This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.

    - -

    If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.

    - -

    If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.

    - -**InternetExplorer/AllowAddOnList** - -

    This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.

    - -

    This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.

    - -

    If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:

    - -

    Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.

    - -

    Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.

    - -

    If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.

    - -**InternetExplorer/AllowEnhancedProtectedMode** - -

    Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

    - -

    If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.

    - -

    If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.

    - -

    If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

    - -**InternetExplorer/AllowEnterpriseModeFromToolsMenu** - -

    This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

    - -

    If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.

    - -

    If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.

    - -**InternetExplorer/AllowEnterpriseModeSiteList** - -

    This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

    - -

    If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.

    - -

    If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.

    - -**InternetExplorer/AllowInternetExplorer7PolicyList ** - -

    This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.

    - -

    If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.

    - -

    If you disable or do not configure this policy setting, the user can add and remove sites from the list.

    - -**InternetExplorer/AllowInternetExplorerStandardsMode** - -

    This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.

    - -

    If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.

    - -

    If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.

    - -

    If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.

    - -**InternetExplorer/AllowInternetZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowIntranetZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLocalMachineZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLockedDownInternetZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLockedDownIntranetZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowOneWordEntry** - -

    This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.

    - -

    If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.

    - -

    If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.

    - -**InternetExplorer/AllowSiteToZoneAssignmentList** - -

    This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.

    - -

    Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)

    - -

    If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:

    - -

    Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.

    - -

    Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

    - -

    If you disable or do not configure this policy, users may choose their own site-to-zone assignments.

    - -**InternetExplorer/AllowSuggestedSites** - -

    This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.

    - -

    If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.

    - -

    If you disable this policy setting, the entry points and functionality associated with this feature are turned off.

    - -

    If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.

    - -**InternetExplorer/AllowTrustedSitesZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/AllowsRestrictedSitesZoneTemplate** - -

    This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

    - -

    If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

    - -

    If you disable this template policy setting, no security level is configured.

    - -

    If you do not configure this template policy setting, no security level is configured.

    - -

    Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

    - -

    Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

    - -**InternetExplorer/DisableAdobeFlash** - -

    This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.

    - -

    If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.

    - -

    If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.

    - -

    Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.

    - -**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** - -

    This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).

    - -

    If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

    - -

    If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

    - -

    If you do not configure this policy setting, the user can choose to participate in the CEIP.

    - -**InternetExplorer/DisableEnclosureDownloading** - -

    This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

    - -

    If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.

    - -

    If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.

    - -**InternetExplorer/DisableEncryptionSupport** - -

    This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.

    - -

    If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

    - -

    If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.

    - -

    Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.

    - -**InternetExplorer/DisableFirstRunWizard** - -

    This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

    - -

    If you enable this policy setting, you must make one of the following choices: - Skip the First Run wizard, and go directly to the user's home page. - Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.

    - -

    Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.

    - -

    If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.

    - -**InternetExplorer/DisableFlipAheadFeature** - -

    This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

    - -

    Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.

    - -

    If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.

    - -

    If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

    - -

    If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.

    - -**InternetExplorer/DisableHomePageChange** - -

    The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.

    - -

    If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.

    - -

    If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.

    - -**InternetExplorer/DisableSearchProviderChange** - -

    This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.

    - -

    If you enable this policy setting, the user cannot change the default search provider.

    - -

    If you disable or do not configure this policy setting, the user can change the default search provider.

    - -**InternetExplorer/DisableSecondaryHomePageChange** - -

    Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.

    - -

    If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.

    - -

    If you disable or do not configure this policy setting, the user can add secondary home pages.

    - -

    Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.

    - -**InternetExplorer/DoNotBlockOutdatedActiveXControls** - -

    This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

    - -

    If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.

    - -

    If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

    - -

    For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

    - -**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** - -

    This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

    - -

    If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:

    - -

    1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" -2. "hostname". For example, if you want to include http://example, use "example" -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"

    - -

    If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

    - -

    For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

    - -**InternetExplorer/IncludeAllLocalSites** - -

    This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.

    - -

    If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.

    - -

    If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).

    - -

    If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.

    - -**InternetExplorer/IncludeAllNetworkPaths** - -

    This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

    - -

    If you enable this policy setting, all network paths are mapped into the Intranet Zone.

    - -

    If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).

    - -

    If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.

    - -**InternetExplorer/InternetZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/InternetZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/InternetZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

    - -**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

    - -**InternetExplorer/InternetZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/InternetZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/InternetZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/InternetZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/IntranetZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

    - -**InternetExplorer/IntranetZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

    - -**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

    - -**InternetExplorer/IntranetZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/IntranetZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/IntranetZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

    - -**InternetExplorer/LocalMachineZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LocalMachineZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownInternetZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

    - -

    If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

    - -**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

    - -**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

    - -**InternetExplorer/RestrictedSitesZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

    - -

    If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

    - -**InternetExplorer/SearchProviderList** - -

    This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.

    - -

    If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

    - -

    If you disable or do not configure this policy setting, the user can configure his or her list of search providers.

    - -**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** - -

    This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

    - -

    If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -

    If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

    - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - -

    This policy setting manages whether users will be automatically prompted for ActiveX control installations.

    - -

    If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -

    If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

    - -

    If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

    - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - -

    This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

    - -

    If you enable this setting, users will receive a file download dialog for automatic download attempts.

    - -

    If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

    - -**InternetExplorer/TrustedSitesZoneAllowFontDownloads** - -

    This policy setting allows you to manage whether pages of the zone may download HTML fonts.

    - -

    If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

    - -

    If you disable this policy setting, HTML fonts are prevented from downloading.

    - -

    If you do not configure this policy setting, HTML fonts can be downloaded automatically.

    - -**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** - -

    This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

    - -

    If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

    - -

    If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

    - -

    If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.

    - -**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** - -

    This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

    - -

    If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

    - -

    If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

    - -

    If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

    - -**InternetExplorer/TrustedSitesZoneAllowScriptlets** - -

    This policy setting allows you to manage whether the user can run scriptlets.

    - -

    If you enable this policy setting, the user can run scriptlets.

    - -

    If you disable this policy setting, the user cannot run scriptlets.

    - -

    If you do not configure this policy setting, the user can enable or disable scriptlets.

    - -**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** - -

    This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

    - -

    If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

    - -

    If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

    - -

    Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

    - -**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** - -

    This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

    - -

    If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -

    If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

    - -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** - -

    This policy setting allows you to manage ActiveX controls not marked as safe.

    - -

    If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

    - -

    If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -

    If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

    - -

    If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

    - -**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** - -

    This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

    - -

    If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

    - -

    If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

    - -

    If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

    - -**Kerberos/AllowForestSearchOrder** - -

    This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).

    - -

    If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.

    - -

    If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.

    - -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** - -

    This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.

    - -

    If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. -

    - -**Kerberos/RequireKerberosArmoring** - -

    This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.

    - -

    Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.

    - -

    If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.

    - -

    Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.

    - -

    If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. -

    - -**Kerberos/RequireStrictKDCValidation** - -

    This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.

    - -

    If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.

    - -

    If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. -

    - -**Kerberos/SetMaximumContextTokenSize** - -

    This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. - -The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.

    - -

    If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.

    - -

    If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.

    - -

    Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.

    - -

    - -**Power/AllowStandbyWhenSleepingPluggedIn** - -

    This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.

    - -

    If you enable this policy setting, Windows uses standby states to put the computer in a sleep state.

    - -

    If you disable or do not configure this policy setting, the only sleep state a computer may enter is hibernate.

    - -**Power/RequirePasswordWhenComputerWakesOnBattery** - -

    This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

    - -

    If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.

    - -

    If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.

    - -**Power/RequirePasswordWhenComputerWakesPluggedIn** - -

    This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

    - -

    If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.

    - -

    If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.

    - -**Printers/PointAndPrintRestrictions** - -

    This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

    - -

    If you enable this policy setting: - -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. - -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.

    - -

    If you do not configure this policy setting: - -Windows Vista client computers can point and print to any server. - -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

    - -

    If you disable this policy setting: - -Windows Vista client computers can create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

    - -**Printers/PointAndPrintRestrictions_User** - -

    This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

    - -

    If you enable this policy setting: - -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. - -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.

    - -

    If you do not configure this policy setting: - -Windows Vista client computers can point and print to any server. - -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

    - -

    If you disable this policy setting: - -Windows Vista client computers can create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

    - -**Printers/PublishPrinters** - -

    Determines whether the computer's shared printers can be published in Active Directory.

    - -

    If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.

    - -

    If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.

    - -

    Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".

    - -**RemoteAssistance/CustomizeWarningMessages** - -

    This policy setting lets you customize warning messages.

    - -

    The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.

    - -

    The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.

    - -

    If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.

    - -

    If you disable this policy setting, the user sees the default warning message.

    - -

    If you do not configure this policy setting, the user sees the default warning message.

    - -**RemoteAssistance/SessionLogging** - -

    This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.

    - -

    If you enable this policy setting, log files are generated.

    - -

    If you disable this policy setting, log files are not generated.

    - -

    If you do not configure this setting, application-based settings are used.

    - -**RemoteAssistance/SolicitedRemoteAssistance** - -

    This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.

    - -

    If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.

    - -

    If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.

    - -

    If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.

    - -

    If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."

    - -

    The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.

    - -

    The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.

    - -

    If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.

    - -**RemoteAssistance/UnsolicitedRemoteAssistance** - -

    This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.

    - -

    If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

    - -

    If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

    - -

    If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

    - -

    If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.

    - -

    To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:

    - -

    \ or

    - -

    \

    - -

    If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.

    - -

    Windows Vista and later

    - -

    Enable the Remote Assistance exception for the domain profile. The exception must contain: -Port 135:TCP -%WINDIR%\System32\msra.exe -%WINDIR%\System32\raserver.exe

    - -

    Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)

    - -

    Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -%WINDIR%\System32\Sessmgr.exe

    - -

    For computers running Windows Server 2003 with Service Pack 1 (SP1)

    - -

    Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -Allow Remote Desktop Exception

    - -**RemoteDesktopServices/AllowUsersToConnectRemotely** - -

    This policy setting allows you to configure remote access to computers by using Remote Desktop Services.

    - -

    If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.

    - -

    If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

    - -

    If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.

    - -

    Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.

    - -

    You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. -

    - -**RemoteDesktopServices/ClientConnectionEncryptionLevel** - -

    Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.

    - -

    If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

    - -

    * High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.

    - -

    * Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.

    - -

    * Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.

    - -

    If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.

    - -

    Important

    - -

    FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. -

    - -**RemoteDesktopServices/DoNotAllowDriveRedirection** - -

    This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).

    - -

    By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.

    - -

    If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.

    - -

    If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.

    - -

    If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. -

    - -**RemoteDesktopServices/DoNotAllowPasswordSaving** - -

    Controls whether passwords can be saved on this computer from Remote Desktop Connection.

    - -

    If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

    - -

    If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.

    - -**RemoteDesktopServices/PromptForPasswordUponConnection** - -

    This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

    - -

    You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

    - -

    By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

    - -

    If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

    - -

    If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

    - -

    If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. -

    - -**RemoteDesktopServices/RequireSecureRPCCommunication** - -

    Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

    - -

    You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

    - -

    If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

    - -

    If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.

    - -

    If the status is set to Not Configured, unsecured communication is allowed.

    - -

    Note: The RPC interface is used for administering and configuring Remote Desktop Services.

    - -**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** - -

    This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.

    - -

    If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.

    - -

    If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.

    - -

    If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.

    - -

    Note: This policy will not be applied until the system is rebooted.

    - -**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** - -

    This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.

    - -

    This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.

    - -

    If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.

    - -

    If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.

    - -

    If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.

    - -

    -- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.

    - -

    -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.

    - -

    -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.

    - -

    Note: This policy setting will not be applied until the system is rebooted.

    - -**Storage/EnhancedStorageDevices** - -

    This policy setting configures whether or not Windows will activate an Enhanced Storage device.

    - -

    If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.

    - -

    If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.

    - -**System/BootStartDriverInitialization** - -

    N/A

    - -**System/DisableSystemRestore** - -

    Allows you to disable System Restore.

    - -

    This policy setting allows you to turn off System Restore.

    - -

    System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.

    - -

    If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.

    - -

    If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.

    - -

    Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.

    - -**WindowsLogon/DisableLockScreenAppNotifications** - -

    This policy setting allows you to prevent app notifications from appearing on the lock screen.

    - -

    If you enable this policy setting, no app notifications are displayed on the lock screen.

    - -

    If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.

    - -**WindowsLogon/DontDisplayNetworkSelectionUI** - -

    This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.

    - -

    If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.

    - -

    If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.

    - - - - - - - diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 040f1794f0..5b81c0026b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -3,7 +3,6 @@ title: Policy CSP description: Policy CSP ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows @@ -108,6 +107,9 @@ The following diagram shows the Policy configuration service provider in tree fo

    Supported operations are Add and Get. Does not support Delete. +> [!Note] +> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S. +

    @@ -116,6 +118,29 @@ The following diagram shows the Policy configuration service provider in tree fo **AboveLock/AllowActionCenterNotifications** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -129,26 +154,34 @@ The following diagram shows the Policy configuration service provider in tree fo

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **AboveLock/AllowCortanaAboveLock** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. @@ -157,26 +190,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **AboveLock/AllowToasts** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow toast notifications above the device lock screen. @@ -187,26 +228,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/AllowAddingNonMicrosoftAccountsManually** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether user is allowed to add non-MSA email accounts. @@ -220,26 +269,34 @@ SKU Support: > [!NOTE] > This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/AllowMicrosoftAccountConnection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. @@ -250,26 +307,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/AllowMicrosoftAccountSignInAssistant** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. @@ -278,27 +343,34 @@ SKU Support: - 0 – Disabled. - 1 (default) – Manual start. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Accounts/DomainNamesForEmailSync** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies a list of the domains that are allowed to sync email on the device. @@ -306,22 +378,7 @@ SKU Support:

    The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ActiveXControls/ApprovedInstallationSites** @@ -335,9 +392,6 @@ If you disable or do not configure this policy setting, ActiveX controls prompt Note: Wild card characters cannot be used when specifying the host URLs. - - - ADMX Info: @@ -354,8 +408,6 @@ ADMX Info: This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. - - ADMX Info: @@ -372,8 +424,6 @@ ADMX Info: Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. - - ADMX Info: @@ -390,8 +440,6 @@ ADMX Info: Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. - - ADMX Info: @@ -408,8 +456,6 @@ ADMX Info: Enables scripts defined in the package manifest of configuration files that should run. - - ADMX Info: @@ -426,8 +472,6 @@ ADMX Info: Enables a UX to display to the user when a publishing refresh is performed on the client. - - ADMX Info: @@ -454,9 +498,6 @@ Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. - - - ADMX Info: @@ -473,8 +514,6 @@ ADMX Info: Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. - - ADMX Info: @@ -491,8 +530,6 @@ ADMX Info: Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. - - ADMX Info: @@ -509,8 +546,6 @@ ADMX Info: Specifies how new packages should be loaded automatically by App-V on a specific computer. - - ADMX Info: @@ -527,8 +562,6 @@ ADMX Info: Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. - - ADMX Info: @@ -545,8 +578,6 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. - - ADMX Info: @@ -563,8 +594,6 @@ ADMX Info: Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. - - ADMX Info: @@ -599,9 +628,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -636,9 +662,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -673,9 +696,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -710,9 +730,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -747,9 +764,6 @@ User Publishing Refresh Interval: Specifies the publishing refresh interval usin User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - ADMX Info: @@ -766,8 +780,6 @@ ADMX Info: Specifies the path to a valid certificate in the certificate store. - - ADMX Info: @@ -784,8 +796,6 @@ ADMX Info: This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). - - ADMX Info: @@ -802,8 +812,6 @@ ADMX Info: Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. - - ADMX Info: @@ -820,8 +828,6 @@ ADMX Info: Specifies directory where all new applications and updates will be installed. - - ADMX Info: @@ -838,8 +844,6 @@ ADMX Info: Overrides source location for downloading package content. - - ADMX Info: @@ -856,8 +860,6 @@ ADMX Info: Specifies the number of seconds between attempts to reestablish a dropped session. - - ADMX Info: @@ -874,8 +876,6 @@ ADMX Info: Specifies the number of times to retry a dropped session. - - ADMX Info: @@ -892,8 +892,6 @@ ADMX Info: Specifies that streamed package contents will be not be saved to the local hard disk. - - ADMX Info: @@ -910,8 +908,6 @@ ADMX Info: If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache - - ADMX Info: @@ -928,8 +924,6 @@ ADMX Info: Verifies Server certificate revocation status before streaming using HTTPS. - - ADMX Info: @@ -946,8 +940,6 @@ ADMX Info: Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. - - ADMX Info: @@ -961,6 +953,29 @@ ADMX Info: **ApplicationDefaults/DefaultAssociationsConfiguration** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. @@ -1018,27 +1033,34 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z ``` - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowAllTrustedApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether non Windows Store apps are allowed. @@ -1050,26 +1072,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowAppStoreAutoUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether automatic update of apps from Windows Store are allowed. @@ -1080,26 +1110,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowDeveloperUnlock** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether developer unlock is allowed. @@ -1111,26 +1149,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowGameDVR** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -1144,26 +1190,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowSharedUserAppData** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether multiple users of the same app can share data. @@ -1174,26 +1228,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/AllowStore** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + +

    Specifies whether app store is allowed at the device. @@ -1204,26 +1266,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/ApplicationRestrictions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -1249,26 +1319,34 @@ SKU Support:

    Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/DisableStoreOriginatedApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded. @@ -1277,26 +1355,34 @@ SKU Support: - 0 (default) – Enable launch of apps. - 1 – Disable launch of apps. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/RequirePrivateStoreOnly** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcheck markcheck mark
    + +

    Allows disabling of the retail catalog and only enables the Private store. @@ -1316,26 +1402,34 @@ SKU Support:

    Most restricted value is 1. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/RestrictAppDataToSystemVolume** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether application data is restricted to the system drive. @@ -1346,26 +1440,34 @@ SKU Support:

    Most restricted value is 1. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ApplicationManagement/RestrictAppToSystemVolume** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether the installation of applications is restricted to the system drive. @@ -1376,22 +1478,7 @@ SKU Support:

    Most restricted value is 1. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **AttachmentManager/DoNotPreserveZoneInformation** @@ -1405,8 +1492,6 @@ If you disable this policy setting, Windows marks file attachments with their zo If you do not configure this policy setting, Windows marks file attachments with their zone information. - - ADMX Info: @@ -1429,8 +1514,6 @@ If you disable this policy setting, Windows shows the check box and Unblock butt If you do not configure this policy setting, Windows hides the check box and Unblock button. - - ADMX Info: @@ -1453,8 +1536,6 @@ If you disable this policy setting, Windows does not call the registered antivir If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. - - ADMX Info: @@ -1468,6 +1549,29 @@ ADMX Info: **Authentication/AllowEAPCertSSO** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1487,26 +1591,34 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Authentication/AllowFastReconnect** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows EAP Fast Reconnect from being attempted for EAP Method TLS. @@ -1517,26 +1629,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Authentication/AllowSecondaryAuthenticationDevice** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. @@ -1547,22 +1667,7 @@ SKU Support:

    The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Autoplay/DisallowAutoplayForNonVolumeDevices** @@ -1574,8 +1679,6 @@ If you enable this policy setting, AutoPlay is not allowed for MTP devices like If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. - - ADMX Info: @@ -1605,8 +1708,6 @@ b) Revert back to pre-Windows Vista behavior of automatically executing the auto If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. - - ADMX Info: @@ -1637,8 +1738,6 @@ If you disable or do not configure this policy setting, AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. - - ADMX Info: @@ -1652,6 +1751,29 @@ ADMX Info: **Bitlocker/EncryptionMethod** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies the BitLocker Drive Encryption method and cipher strength. @@ -1662,26 +1784,34 @@ ADMX Info: - 6 -XTS 128 - 7 - XTS 256 - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/AllowAdvertising** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether the device can send out Bluetooth advertisements. @@ -1694,26 +1824,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/AllowDiscoverableMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether other Bluetooth-enabled devices can discover the device. @@ -1726,26 +1864,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/AllowPrepairing** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. @@ -1754,26 +1900,34 @@ SKU Support: - 0 – Not allowed. - 1 (default)– Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/LocalDeviceName** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Sets the local Bluetooth device name. @@ -1781,47 +1935,40 @@ SKU Support:

    If this policy is not set or it is deleted, the default local radio name is used. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Bluetooth/ServicesAllowedList** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.

    The default value is an empty string. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowAddressBarDropdown** @@ -1839,14 +1986,34 @@ SKU Support:

    Most restricted value is 0. - - - **Browser/AllowAutofill** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + +

    Specifies whether autofill on websites is allowed. @@ -1864,26 +2031,34 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Save form entries** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowBrowser** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -1900,26 +2075,34 @@ SKU Support:

    When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Browser/AllowCookies** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether cookies are allowed. @@ -1937,25 +2120,34 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Cookies** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **Browser/AllowDeveloperTools** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1970,26 +2162,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowDoNotTrack** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether Do Not Track headers are allowed. @@ -2007,26 +2207,34 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Send Do Not Track requests** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowExtensions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. @@ -2035,26 +2243,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowFlash** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + +

    Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. @@ -2063,26 +2279,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowFlashClickToRun** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. @@ -2091,26 +2315,34 @@ SKU Support: - 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge. - 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowInPrivate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether InPrivate browsing is allowed on corporate networks. @@ -2121,22 +2353,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowMicrosoftCompatibilityList** @@ -2154,14 +2371,34 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis

    Most restricted value is 0. - - - **Browser/AllowPasswordManager** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether saving and managing passwords locally on the device is allowed. @@ -2179,26 +2416,34 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowPopups** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + +

    Specifies whether pop-up blocker is allowed or enabled. @@ -2216,22 +2461,7 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Block pop-ups** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowSearchEngineCustomization** @@ -2248,14 +2478,34 @@ SKU Support:

    Most restricted value is 0. - - - **Browser/AllowSearchSuggestionsinAddressBar** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether search suggestions are allowed in the address bar. @@ -2266,26 +2516,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/AllowSmartScreen** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether Windows Defender SmartScreen is allowed. @@ -2303,22 +2561,7 @@ SKU Support: 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/ClearBrowsingDataOnExit** @@ -2339,9 +2582,6 @@ SKU Support: 2. Close the Microsoft Edge window. 3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. - - - @@ -2365,9 +2605,6 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - @@ -2389,14 +2626,34 @@ Employees cannot remove these search engines, but they can set any one as the de

    Most restricted value is 0. - - - **Browser/EnterpriseModeSiteList** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2409,50 +2666,66 @@ Employees cannot remove these search engines, but they can set any one as the de - Not configured. The device checks for updates from Microsoft Update. - Set to a URL location of the enterprise site list. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/EnterpriseSiteListServiceUrl** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + + > [!IMPORTANT] > This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/FirstRunURL** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -2464,26 +2737,34 @@ SKU Support:

    The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/HomePages** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2497,27 +2778,34 @@ SKU Support: > [!NOTE] > Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. - - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventAccessToAboutFlagsInMicrosoftEdge** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + +

    Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. @@ -2526,22 +2814,7 @@ SKU Support: - 0 (default) – Users can access the about:flags page in Microsoft Edge. - 1 – Users can't access the about:flags page in Microsoft Edge. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventFirstRunPage** @@ -2556,9 +2829,6 @@ SKU Support:

    Most restricted value is 1. - - - @@ -2574,14 +2844,34 @@ SKU Support:

    Most restricted value is 1. - - - **Browser/PreventSmartScreenPromptOverride** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. @@ -2592,26 +2882,34 @@ SKU Support:

    Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventSmartScreenPromptOverrideForFiles** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. @@ -2620,26 +2918,34 @@ SKU Support: - 0 (default) – Off. - 1 – On. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/PreventUsingLocalHostIPAddressForWebRTC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2652,26 +2958,34 @@ SKU Support: - 0 (default) – The localhost IP address is shown. - 1 – The localhost IP address is hidden. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/SendIntranetTraffictoInternetExplorer** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2686,22 +3000,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Browser/SetDefaultSearchEngine** @@ -2723,14 +3022,34 @@ SKU Support:

    Most restricted value is 0. - - - **Browser/ShowMessageWhenOpeningSitesInInternetExplorer** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -2745,26 +3064,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. @@ -2786,27 +3113,34 @@ SKU Support:

  • Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Camera/AllowCamera** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Disables or enables the camera. @@ -2817,26 +3151,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowBluetooth** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the user to enable Bluetooth or restrict access. @@ -2854,26 +3196,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowCellularData** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + +

    Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. @@ -2883,26 +3233,34 @@ SKU Support: - 1 (default) – Allow the cellular data channel. The user can turn it off. - 2 - Allow the cellular data channel. The user cannot turn it off. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowCellularDataRoaming** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. @@ -2922,26 +3280,34 @@ SKU Support: 2. Click on the SIM (next to the signal strength icon) and select **Properties**. 3. On the Properties page, select **Data roaming options**. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowConnectedDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + + > [!NOTE] > This policy requires reboot to take effect. @@ -2953,27 +3319,34 @@ SKU Support: - 1 (default) - Allow (CDP service available). - 0 - Disable (CDP service not available). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowNFC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -2988,26 +3361,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowUSBConnection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -3024,26 +3405,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Connectivity/AllowVPNOverCellular** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies what type of underlying connections VPN is allowed to use. @@ -3054,26 +3443,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/AllowVPNRoamingOverCellular** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Prevents the device from connecting to VPN when the device roams over cellular networks. @@ -3084,22 +3481,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Connectivity/HardenedUNCPaths** @@ -3109,9 +3491,6 @@ This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. - - - ADMX Info: @@ -3136,8 +3515,6 @@ Note: The user's domain password will be cached in the system vault when using t To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. - - ADMX Info: @@ -3160,8 +3537,6 @@ If you disable or don't configure this policy setting, a domain user can set up Note that the user's domain password will be cached in the system vault when using this feature. - - ADMX Info: @@ -3186,8 +3561,6 @@ By default, the password reveal button is displayed after a user types a passwor The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. - - ADMX Info: @@ -3208,8 +3581,6 @@ If you enable this policy setting, all local administrator accounts on the PC wi If you disable this policy setting, users will always be required to type a user name and password to elevate. - - ADMX Info: @@ -3223,6 +3594,29 @@ ADMX Info: **Cryptography/AllowFipsAlgorithmPolicy** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows or disallows the Federal Information Processing Standard (FIPS) policy. @@ -3231,49 +3625,65 @@ ADMX Info: - 0 (default) – Not allowed. - 1– Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Cryptography/TLSCipherSuites** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DataProtection/AllowDirectMemoryAccess** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. @@ -3284,26 +3694,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **DataProtection/LegacySelectiveWipeID** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!IMPORTANT] > This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. @@ -3314,23 +3732,7 @@ SKU Support: > [!NOTE] > This policy is not recommended for use in Windows 10. - - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DataUsage/SetCost3G** @@ -3348,9 +3750,6 @@ If this policy setting is enabled, a drop-down list box presenting possible cost If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. - - - ADMX Info: @@ -3377,9 +3776,6 @@ If this policy setting is enabled, a drop-down list box presenting possible cost If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. - - - ADMX Info: @@ -3393,6 +3789,29 @@ ADMX Info: **Defender/AllowArchiveScanning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3405,26 +3824,34 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowBehaviorMonitoring** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3437,26 +3864,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowCloudProtection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3469,26 +3904,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowEmailScanning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3501,26 +3944,34 @@ SKU Support: - 0 (default) – Not allowed. - 1 – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowFullScanOnMappedNetworkDrives** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3533,26 +3984,34 @@ SKU Support: - 0 (default) – Not allowed. - 1 – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowFullScanRemovableDriveScanning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3565,26 +4024,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowIOAVProtection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3597,26 +4064,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowIntrusionPreventionSystem** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3629,26 +4104,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowOnAccessProtection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3661,26 +4144,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowRealtimeMonitoring** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3693,26 +4184,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowScanningNetworkFiles** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3725,26 +4224,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowScriptScanning** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3757,26 +4264,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AllowUserUIAccess** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3789,26 +4304,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/AvgCPULoadFactor** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3820,26 +4343,34 @@ SKU Support:

    The default value is 50. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/DaysToRetainCleanedMalware** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3851,26 +4382,34 @@ SKU Support:

    The default value is 0, which keeps items in quarantine, and does not automatically remove them. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ExcludedExtensions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3878,26 +4417,34 @@ SKU Support:  

    llows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ExcludedPaths** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3905,26 +4452,34 @@ SKU Support:

    Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1". - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ExcludedProcesses** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3938,26 +4493,34 @@ SKU Support:  

    Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/PUAProtection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -3971,26 +4534,34 @@ SKU Support: - 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats. - 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/RealTimeScanDirection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4008,26 +4579,34 @@ SKU Support: - 1 – Monitor incoming files. - 2 – Monitor outgoing files. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ScanParameter** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4040,26 +4619,34 @@ SKU Support: - 1 (default) – Quick scan - 2 – Full scan - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ScheduleQuickScanTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4077,26 +4664,34 @@ SKU Support:

    The default value is 120 - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ScheduleScanDay** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4120,26 +4715,34 @@ SKU Support: - 7 – Sunday - 8 – No scheduled scan - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ScheduleScanTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4157,26 +4760,34 @@ SKU Support:

    The default value is 120. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/SignatureUpdateInterval** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4190,26 +4801,34 @@ SKU Support:

    The default value is 8. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/SubmitSamplesConsent** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4224,26 +4843,34 @@ SKU Support: - 2 – Never send. - 3 – Send all samples automatically. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Defender/ThreatSeverityDefaultAction** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -4269,26 +4896,34 @@ SKU Support: - 8 – User defined - 10 – Block - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOAbsoluteMaxCacheSize** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4298,26 +4933,34 @@ SKU Support:

    The default value is 10. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOAllowVPNPeerCaching** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4327,27 +4970,34 @@ SKU Support:

    The default value is 0 (FALSE). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DODownloadMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4364,26 +5014,34 @@ SKU Support: - 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. - 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOGroupId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4394,27 +5052,34 @@ SKU Support: > [!NOTE] > You must use a GUID as the group ID. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMaxCacheAge** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4424,26 +5089,34 @@ SKU Support:

    The default value is 259200 seconds (3 days). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMaxCacheSize** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4453,26 +5126,34 @@ SKU Support:

    The default value is 20. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMaxDownloadBandwidth** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4482,26 +5163,34 @@ SKU Support:

    The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMaxUploadBandwidth** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4511,26 +5200,34 @@ SKU Support:

    The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinBackgroundQos** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4540,26 +5237,34 @@ SKU Support:

    The default value is 500. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4568,27 +5273,34 @@ SKU Support:

    The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinDiskSizeAllowedToPeer** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4601,28 +5313,34 @@ SKU Support:

    The default value is 32 GB. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinFileSizeToCache** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4632,28 +5350,34 @@ SKU Support:

    The default value is 100 MB. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMinRAMAllowedToPeer** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4663,27 +5387,34 @@ SKU Support:

    The default value is 4 GB. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOModifyCacheDrive** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4693,26 +5424,34 @@ SKU Support:

    By default, %SystemDrive% is used to store the cache. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOMonthlyUploadDataCap** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4724,26 +5463,34 @@ SKU Support:

    The default value is 20. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeliveryOptimization/DOPercentageMaxDownloadBandwidth** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -4753,22 +5500,7 @@ SKU Support:

    The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Desktop/PreventUserRedirectionOfProfileFolders** @@ -4780,8 +5512,6 @@ By default, a user can change the location of their individual profile folders l If you enable this setting, users are unable to type a new location in the Target box. - - ADMX Info: @@ -4802,8 +5532,6 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. - - ADMX Info: @@ -4824,8 +5552,6 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. - - ADMX Info: @@ -4839,6 +5565,29 @@ ADMX Info: **DeviceLock/AllowIdleReturnWithoutPassword** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -4855,26 +5604,34 @@ ADMX Info: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -4894,27 +5651,34 @@ SKU Support: > [!IMPORTANT] > If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. - - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/AllowSimpleDevicePassword** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. @@ -4929,26 +5693,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/AlphanumericDevicePasswordRequired** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). @@ -4971,25 +5743,34 @@ SKU Support:   - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/DevicePasswordEnabled** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether device lock is enabled. @@ -5038,26 +5819,34 @@ SKU Support: > - MaxDevicePasswordFailedAttempts > - MaxInactivityTimeDeviceLock - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/DevicePasswordExpiration** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies when the password expires (in days). @@ -5074,26 +5863,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/DevicePasswordHistory** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies how many passwords can be stored in the history that can’t be used. @@ -5112,26 +5909,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/EnforceLockScreenAndLogonImage** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. @@ -5141,26 +5946,34 @@ SKU Support:

    Value type is a string, which is the full image filepath and filename. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/EnforceLockScreenProvider** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck mark1check mark1
    + +

    Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider. @@ -5170,26 +5983,34 @@ SKU Support:

    Value type is a string, which is the AppID. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/MaxDevicePasswordFailedAttempts** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + + The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. @@ -5213,26 +6034,34 @@ The number of authentication failures allowed before the device will be wiped. A

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/MaxInactivityTimeDeviceLock** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. @@ -5247,26 +6076,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcross markcheck mark2check mark2
    + +

    Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display. @@ -5279,27 +6116,34 @@ SKU Support: - An integer X where 0 <= X <= 999. - 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." - - - - -SKU Support: -- Home: No -- Pro: No -- Business: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **DeviceLock/MinDevicePasswordComplexCharacters** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. @@ -5374,26 +6218,34 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/MinDevicePasswordLength** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies the minimum number or characters required in the PIN or password. @@ -5413,22 +6265,7 @@ SKU Support:

    For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **DeviceLock/PreventLockScreenSlideShow** @@ -5440,8 +6277,6 @@ By default, users can enable a slide show that will run after they lock the mach If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. - - ADMX Info: @@ -5455,6 +6290,29 @@ ADMX Info: **DeviceLock/ScreenTimeoutWhileLocked** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -5469,25 +6327,34 @@ ADMX Info:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No - - **Display/TurnOffGdiDPIScalingForApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. @@ -5504,27 +6371,34 @@ SKU Support: 1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms. 2. Run the app and observe blurry text. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Display/TurnOnGdiDPIScalingForApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. @@ -5541,191 +6415,217 @@ SKU Support: 1. Configure the setting for an app which uses GDI. 2. Run the app and observe crisp text. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrintOAuthAuthority** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrintOAuthClientId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrintResourceId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.

    The datatype is an integer.

    For Windows Mobile, the default value is 20. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **EnterpriseCloudPrint/MopriaDiscoveryResourceId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + + -

    Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. +

    Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.

    The datatype is a string.

    The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **ErrorReporting/CustomizeConsentSettings** @@ -5747,8 +6647,6 @@ If you enable this policy setting, you can add specific event types to a list by If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. - - ADMX Info: @@ -5769,8 +6667,6 @@ If you enable this policy setting, Windows Error Reporting does not send any pro If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. - - ADMX Info: @@ -5795,8 +6691,6 @@ If you do not configure this policy setting, users can change this setting in Co See also the Configure Error Reporting policy setting. - - ADMX Info: @@ -5817,8 +6711,6 @@ If you enable this policy setting, any additional data requests from Microsoft i If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. - - ADMX Info: @@ -5839,8 +6731,6 @@ If you enable this policy setting, Windows Error Reporting does not display any If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors. - - ADMX Info: @@ -5863,8 +6753,6 @@ If you disable or do not configure this policy setting and a log file reaches it Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. - - ADMX Info: @@ -5885,8 +6773,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - ADMX Info: @@ -5907,8 +6793,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - ADMX Info: @@ -5929,8 +6813,6 @@ If you enable this policy setting, you can configure the maximum log file size t If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - ADMX Info: @@ -5944,6 +6826,29 @@ ADMX Info: **Experience/AllowCopyPaste** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -5957,26 +6862,34 @@ ADMX Info:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowCortana** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. @@ -5995,26 +6908,34 @@ SKU Support:

    An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowDeviceDiscovery** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows users to turn on/off device discovery UX. @@ -6027,41 +6948,34 @@ SKU Support:

    Most restricted value is 0. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - - - -**Experience/AllowFindMyDevice** - - -

    Added in Windows 10, version 1703. This policy turns on Find My Device feature. - -

    When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. - -

    When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. - - - - **Experience/AllowManualMDMUnenrollment** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow the user to delete the workplace account using the workplace control panel. @@ -6076,26 +6990,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowSIMErrorDialogPromptWhenNoSIM** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -6108,26 +7030,34 @@ SKU Support: - 0 – SIM card dialog prompt is not displayed. - 1 (default) – SIM card dialog prompt is displayed. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowScreenCapture** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -6142,26 +7072,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowSyncMySettings** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). @@ -6170,22 +7108,7 @@ SKU Support: - 0 – Sync settings is not allowed. - 1 (default) – Sync settings allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowTailoredExperiencesWithDiagnosticData** @@ -6207,14 +7130,34 @@ SKU Support:

    Most restricted value is 0. - - - **Experience/AllowTaskSwitcher** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -6227,26 +7170,34 @@ SKU Support: - 0 – Task switching not allowed. - 1 (default) – Task switching allowed. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowThirdPartySuggestionsInWindowsSpotlight** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. @@ -6259,26 +7210,34 @@ SKU Support: - 0 – Third-party suggestions not allowed. - 1 (default) – Third-party suggestions allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowVoiceRecording** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -6293,26 +7252,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowWindowsConsumerFeatures** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -6334,26 +7301,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowWindowsSpotlight** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only available for Windows 10 Enterprise and Windows 10 Education. @@ -6368,22 +7343,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/AllowWindowsSpotlightOnActionCenter** @@ -6401,9 +7361,6 @@ SKU Support:

    Most restricted value is 0. - - - @@ -6423,14 +7380,34 @@ The Windows welcome experience feature introduces onboard users to Windows; for

    Most restricted value is 0. - - - **Experience/AllowWindowsTips** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + Enables or disables Windows Tips / soft landing. @@ -6439,26 +7416,34 @@ Enables or disables Windows Tips / soft landing. - 0 – Disabled. - 1 (default) – Enabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/ConfigureWindowsSpotlightOnLockScreen** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only available for Windows 10 Enterprise and Windows 10 Education. @@ -6472,26 +7457,34 @@ SKU Support: - 1 (default) – Windows spotlight enabled. - 2 – placeholder only for future extension. Using this value has no effect. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Experience/DoNotShowFeedbackNotifications** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Prevents devices from showing feedback questions from Microsoft. @@ -6504,22 +7497,7 @@ SKU Support: - 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. - 1 – Feedback notifications are disabled. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Games/AllowAdvancedGamingServices** @@ -6527,9 +7505,6 @@ SKU Support:

    Placeholder only. Currently not supported. - - - @@ -6542,8 +7517,6 @@ If you enable this policy setting, the user can add and remove search providers, If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. - - ADMX Info: @@ -6564,8 +7537,6 @@ If you enable this policy setting, ActiveX Filtering is enabled by default for t If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. - - ADMX Info: @@ -6592,8 +7563,6 @@ Value - A number indicating whether Internet Explorer should deny or allow the a If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. - - ADMX Info: @@ -6616,8 +7585,6 @@ If you disable this policy setting, Enhanced Protected Mode will be turned off. If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. - - ADMX Info: @@ -6638,8 +7605,6 @@ If you turn this setting on, users can see and use the Enterprise Mode option fr If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. - - ADMX Info: @@ -6660,8 +7625,6 @@ If you enable this policy setting, Internet Explorer downloads the website list If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. - - ADMX Info: @@ -6682,8 +7645,6 @@ If you enable this policy setting, the user can add and remove sites from the li If you disable or do not configure this policy setting, the user can add and remove sites from the list. - - ADMX Info: @@ -6705,8 +7666,6 @@ If you disable this policy setting, Internet Explorer uses an Internet Explorer If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. - - ADMX Info: @@ -6733,8 +7692,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6761,8 +7718,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6789,8 +7744,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6817,8 +7770,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6845,8 +7796,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6873,8 +7822,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6901,8 +7848,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -6923,8 +7868,6 @@ If you enable this policy setting, Internet Explorer goes directly to an intrane If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. - - ADMX Info: @@ -6951,8 +7894,6 @@ Value - A number indicating the zone with which this site should be associated f If you disable or do not configure this policy, users may choose their own site-to-zone assignments. - - ADMX Info: @@ -6975,8 +7916,6 @@ If you disable this policy setting, the entry points and functionality associate If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. - - ADMX Info: @@ -7003,8 +7942,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -7031,8 +7968,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -7058,8 +7993,6 @@ Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - ADMX Info: @@ -7082,8 +8015,6 @@ If you disable, or do not configure this policy setting, Flash is turned on for Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. - - ADMX Info: @@ -7104,8 +8035,6 @@ If you enable this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - ADMX Info: @@ -7126,8 +8055,6 @@ If you enable this policy setting, SmartScreen Filter warnings block the user. If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - ADMX Info: @@ -7150,8 +8077,6 @@ If you disable this policy setting, the user must participate in the CEIP, and t If you do not configure this policy setting, the user can choose to participate in the CEIP. - - ADMX Info: @@ -7172,8 +8097,6 @@ If you enable this policy setting, the user cannot set the Feed Sync Engine to d If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. - - ADMX Info: @@ -7196,8 +8119,6 @@ If you disable or do not configure this policy setting, the user can select whic Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. - - ADMX Info: @@ -7222,8 +8143,6 @@ Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not avail If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. - - ADMX Info: @@ -7248,8 +8167,6 @@ If you disable this policy setting, flip ahead with page prediction is turned on If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. - - ADMX Info: @@ -7270,8 +8187,6 @@ If you enable this policy setting, a user cannot set a custom default home page. If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. - - ADMX Info: @@ -7292,8 +8207,6 @@ If you enable this policy setting, the user will not be able to configure proxy If you disable or do not configure this policy setting, the user can configure proxy settings. - - ADMX Info: @@ -7314,8 +8227,6 @@ If you enable this policy setting, the user cannot change the default search pro If you disable or do not configure this policy setting, the user can change the default search provider. - - ADMX Info: @@ -7338,8 +8249,6 @@ If you disable or do not configure this policy setting, the user can add seconda Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages. - - ADMX Info: @@ -7362,8 +8271,6 @@ If you disable this policy or do not configure it, Internet Explorer checks ever This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. - - ADMX Info: @@ -7390,8 +8297,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Ad Also, see the "Security zones: Use only machine settings" policy. - - ADMX Info: @@ -7418,8 +8323,6 @@ Note: The "Disable the Security page" policy (located in \User Configuration\Adm Also, see the "Security zones: Use only machine settings" policy. - - ADMX Info: @@ -7442,8 +8345,6 @@ If you disable or don't configure this policy setting, Internet Explorer continu For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - ADMX Info: @@ -7470,8 +8371,6 @@ If you disable or don't configure this policy setting, the list is deleted and I For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - ADMX Info: @@ -7494,8 +8393,6 @@ If you disable this policy setting, local sites which are not explicitly mapped If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. - - ADMX Info: @@ -7518,8 +8415,6 @@ If you disable this policy setting, network paths are not necessarily mapped int If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. - - ADMX Info: @@ -7542,8 +8437,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -7566,8 +8459,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -7588,8 +8479,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -7612,8 +8501,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -7636,8 +8523,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - ADMX Info: @@ -7660,8 +8545,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - ADMX Info: @@ -7684,8 +8567,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -7710,8 +8591,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -7734,8 +8613,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -7760,8 +8637,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -7784,8 +8659,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -7808,8 +8681,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -7832,8 +8703,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - ADMX Info: @@ -7854,8 +8723,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - ADMX Info: @@ -7878,8 +8745,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -7902,8 +8767,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - ADMX Info: @@ -7926,8 +8789,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - ADMX Info: @@ -7950,8 +8811,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -7976,8 +8835,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -8000,8 +8857,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -8026,8 +8881,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -8050,8 +8903,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -8074,8 +8925,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -8098,8 +8947,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - ADMX Info: @@ -8120,8 +8967,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - ADMX Info: @@ -8144,8 +8989,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -8168,8 +9011,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -8192,8 +9033,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -8216,8 +9055,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -8242,8 +9079,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -8266,8 +9101,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -8292,8 +9125,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - ADMX Info: @@ -8316,8 +9147,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -8340,8 +9169,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -8364,8 +9191,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -8386,8 +9211,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -8410,8 +9233,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -8434,8 +9255,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -8458,8 +9277,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -8482,8 +9299,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -8508,8 +9323,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -8532,8 +9345,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -8558,8 +9369,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -8582,8 +9391,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -8606,8 +9413,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -8630,8 +9435,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -8652,8 +9455,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -8676,8 +9477,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -8700,8 +9499,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -8724,8 +9521,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -8748,8 +9543,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -8774,8 +9567,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -8798,8 +9589,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -8824,8 +9613,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -8848,8 +9635,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -8872,8 +9657,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -8896,8 +9679,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -8918,8 +9699,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -8942,8 +9721,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -8966,8 +9743,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -8990,8 +9765,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -9014,8 +9787,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9040,8 +9811,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9064,8 +9833,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9090,8 +9857,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9114,8 +9879,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -9138,8 +9901,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9162,8 +9923,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -9184,8 +9943,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -9208,8 +9965,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - ADMX Info: @@ -9232,8 +9987,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -9256,8 +10009,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -9280,8 +10031,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9306,8 +10055,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9330,8 +10077,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9356,8 +10101,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9380,8 +10123,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - ADMX Info: @@ -9404,8 +10145,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9428,8 +10167,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -9450,8 +10187,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -9474,8 +10209,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -9498,8 +10231,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -9522,8 +10253,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -9546,8 +10275,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9572,8 +10299,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9596,8 +10321,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9622,8 +10345,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9646,8 +10367,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -9670,8 +10389,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9694,8 +10411,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - ADMX Info: @@ -9716,8 +10431,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - ADMX Info: @@ -9740,8 +10453,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - ADMX Info: @@ -9764,8 +10475,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - ADMX Info: @@ -9788,8 +10497,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - ADMX Info: @@ -9812,8 +10519,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -9838,8 +10543,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -9862,8 +10565,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -9888,8 +10589,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - ADMX Info: @@ -9912,8 +10611,6 @@ If you disable this policy setting, users cannot open other windows and frames f If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - ADMX Info: @@ -9934,8 +10631,6 @@ If you enable this policy setting, the user cannot configure the list of search If you disable or do not configure this policy setting, the user can configure his or her list of search providers. - - ADMX Info: @@ -9958,8 +10653,6 @@ If you disable this policy setting, users cannot load a page in the zone that us If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - ADMX Info: @@ -9982,8 +10675,6 @@ If you disable this policy setting, ActiveX control installations will be blocke If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - ADMX Info: @@ -10004,8 +10695,6 @@ If you enable this setting, users will receive a file download dialog for automa If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - ADMX Info: @@ -10028,8 +10717,6 @@ If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - ADMX Info: @@ -10052,8 +10739,6 @@ If you disable this policy setting, the possibly harmful navigations are prevent If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. - - ADMX Info: @@ -10076,8 +10761,6 @@ If you disable this policy setting, Internet Explorer will not execute unsigned If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - ADMX Info: @@ -10100,8 +10783,6 @@ If you disable this policy setting, the user cannot run scriptlets. If you do not configure this policy setting, the user can enable or disable scriptlets. - - ADMX Info: @@ -10126,8 +10807,6 @@ If you do not configure this policy setting, the user can choose whether SmartSc Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - ADMX Info: @@ -10150,8 +10829,6 @@ If you disable this policy setting, users cannot preserve information in the bro If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - ADMX Info: @@ -10176,8 +10853,6 @@ If you disable this policy setting, ActiveX controls that cannot be made safe ar If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - ADMX Info: @@ -10200,8 +10875,6 @@ If you disable this policy setting, users cannot open windows and frames to acce If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - ADMX Info: @@ -10222,8 +10895,6 @@ If you enable this policy setting, the Kerberos client searches the forests in t If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. - - ADMX Info: @@ -10242,9 +10913,6 @@ If you enable this policy setting, the client computers will request claims, pro If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. - - - ADMX Info: @@ -10269,9 +10937,6 @@ Note: The Kerberos Group Policy "Kerberos client support for claims, compound au If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. - - - ADMX Info: @@ -10292,9 +10957,6 @@ If you enable this policy setting, the Kerberos client requires that the KDC's X If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. - - - ADMX Info: @@ -10319,10 +10981,6 @@ If you disable or do not configure this policy setting, the Kerberos client or s Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. - - - - ADMX Info: @@ -10336,6 +10994,29 @@ ADMX Info: **Licensing/AllowWindowsEntitlementReactivation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. @@ -10344,26 +11025,34 @@ ADMX Info: - 0 – Disable Windows license reactivation on managed devices. - 1 (default) – Enable Windows license reactivation on managed devices. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Licensing/DisallowKMSClientOnlineAVSValidation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. @@ -10372,26 +11061,34 @@ SKU Support: - 0 (default) – Disabled. - 1 – Enabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Location/EnableLocation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. @@ -10408,26 +11105,34 @@ SKU Support: 1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. 2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **LockDown/AllowEdgeSwipe** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. @@ -10438,26 +11143,34 @@ SKU Support:

    The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Maps/AllowOfflineMapsDownloadOverMeteredConnection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. @@ -10469,26 +11182,34 @@ SKU Support:

    After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Maps/EnableOfflineMapsAutoUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Disables the automatic download and update of map data. @@ -10500,22 +11221,7 @@ SKU Support:

    After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Messaging/AllowMMS** @@ -10531,14 +11237,34 @@ SKU Support: - 0 - Disabled. - 1 (default) - Enabled. - - - **Messaging/AllowMessageSync** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck mark1check mark1
    + +

    Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. @@ -10547,22 +11273,7 @@ SKU Support: - 0 - message sync is not allowed and cannot be changed by the user. - 1 - message sync is allowed. The user can change this setting. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Messaging/AllowRCS** @@ -10578,37 +11289,65 @@ SKU Support: - 0 - Disabled. - 1 (default) - Enabled. - - - **NetworkIsolation/EnterpriseCloudResources** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseIPRange** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example: @@ -10621,72 +11360,96 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ``` - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseIPRangesAreAuthoritative** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseInternalProxyServers** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseNetworkDomainNames** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". @@ -10700,95 +11463,127 @@ SKU Support: 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseProxyServers** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/EnterpriseProxyServersAreAuthoritative** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **NetworkIsolation/NeutralResources** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    List of domain names that can used for work or personal resource. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Notifications/DisallowNotificationMirroring** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. @@ -10801,22 +11596,7 @@ SKU Support: - 0 (default)– enable notification mirroring. - 1 – disable notification mirroring. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Power/AllowStandbyWhenSleepingPluggedIn** @@ -10828,8 +11608,6 @@ If you enable or do not configure this policy setting, Windows uses standby stat If you disable this policy setting, standby states (S1-S3) are not allowed. - - ADMX Info: @@ -10850,8 +11628,6 @@ If you enable or do not configure this policy setting, the user is prompted for If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - ADMX Info: @@ -10872,8 +11648,6 @@ If you enable or do not configure this policy setting, the user is prompted for If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - ADMX Info: @@ -10907,8 +11681,6 @@ If you disable this policy setting: -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - ADMX Info: @@ -10942,8 +11714,6 @@ If you disable this policy setting: -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - ADMX Info: @@ -10965,8 +11735,6 @@ If you disable this setting, this computer's shared printers cannot be published Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory". - - ADMX Info: @@ -10980,6 +11748,29 @@ ADMX Info: **Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check markcheck mark
    + +

    Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. @@ -10990,26 +11781,34 @@ ADMX Info:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/AllowInputPersonalization** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Updated in the next major update of Windows 10. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. @@ -11021,25 +11820,34 @@ SKU Support:

    Most restricted value is 0.   - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/DisableAdvertisingId** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Enables or disables the Advertising ID. @@ -11051,26 +11859,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. @@ -11082,95 +11898,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. @@ -11182,95 +12030,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. @@ -11282,95 +12162,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. @@ -11382,95 +12294,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. @@ -11482,95 +12426,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access email. @@ -11582,95 +12558,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access location. @@ -11682,95 +12690,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). @@ -11782,95 +12822,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. @@ -11882,95 +12954,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. @@ -11982,95 +13086,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. @@ -12082,95 +13218,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. @@ -12182,95 +13350,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. @@ -12282,187 +13482,251 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. @@ -12474,95 +13738,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. @@ -12574,95 +13870,127 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. @@ -12676,95 +14004,127 @@ SKU Support: > [!WARNING] > Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. @@ -12776,91 +14136,100 @@ SKU Support:

    Most restricted value is 2. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **RemoteAssistance/CustomizeWarningMessages** @@ -12878,8 +14247,6 @@ If you disable this policy setting, the user sees the default warning message. If you do not configure this policy setting, the user sees the default warning message. - - ADMX Info: @@ -12902,8 +14269,6 @@ If you disable this policy setting, log files are not generated. If you do not configure this setting, application-based settings are used. - - ADMX Info: @@ -12934,8 +14299,6 @@ The "Select the method for sending email invitations" setting specifies which em If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. - - ADMX Info: @@ -12989,8 +14352,6 @@ Port 135:TCP %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe Allow Remote Desktop Exception - - ADMX Info: @@ -13016,9 +14377,6 @@ Note: You can limit which clients are able to connect remotely by using Remote D You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. - - - ADMX Info: @@ -13049,9 +14407,6 @@ Important FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. - - - ADMX Info: @@ -13076,9 +14431,6 @@ If you disable this policy setting, client drive redirection is always allowed. If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. - - - ADMX Info: @@ -13099,8 +14451,6 @@ If you enable this setting the password saving checkbox in Remote Desktop Connec If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. - - ADMX Info: @@ -13127,9 +14477,6 @@ If you disable this policy setting, users can always log on to Remote Desktop Se If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. - - - ADMX Info: @@ -13156,8 +14503,6 @@ If the status is set to Not Configured, unsecured communication is allowed. Note: The RPC interface is used for administering and configuring Remote Desktop Services. - - ADMX Info: @@ -13182,8 +14527,6 @@ If you do not configure this policy setting, it remains disabled. RPC clients w Note: This policy will not be applied until the system is rebooted. - - ADMX Info: @@ -13216,8 +14559,6 @@ If you enable this policy setting, it directs the RPC server runtime to restrict Note: This policy setting will not be applied until the system is rebooted. - - ADMX Info: @@ -13231,6 +14572,29 @@ ADMX Info: **Search/AllowIndexingEncryptedStoresOrItems** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. @@ -13245,26 +14609,34 @@ ADMX Info:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/AllowSearchToUseLocation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether search can leverage location information. @@ -13275,26 +14647,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): Yes - - **Search/AllowUsingDiacritics** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the use of diacritics. @@ -13305,26 +14685,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/AlwaysUseAutoLangDetection** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to always use automatic language detection when indexing content and properties. @@ -13335,26 +14723,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/DisableBackoff** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. @@ -13363,26 +14759,34 @@ SKU Support: - 0 (default) – Disable. - 1 – Enable. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/DisableRemovableDriveIndexing** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    This policy setting configures whether or not locations on removable drives can be added to libraries. @@ -13395,26 +14799,34 @@ SKU Support: - 0 (default) – Disable. - 1 – Enable. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/PreventIndexingLowDiskSpaceMB** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB. @@ -13427,26 +14839,34 @@ SKU Support: - 0 – Disable. - 1 (default) – Enable. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/PreventRemoteQueries** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. @@ -13455,26 +14875,34 @@ SKU Support: - 0 – Disable. - 1 (default) – Enable. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Search/SafeSearchPermissions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -13489,26 +14917,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/AllowAddProvisioningPackage** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow the runtime configuration agent to install provisioning packages. @@ -13517,26 +14953,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy has been deprecated in Windows 10, version 1607 @@ -13554,26 +14998,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/AllowManualRootCertificateInstallation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -13588,26 +15040,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/AllowRemoveProvisioningPackage** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow the runtime configuration agent to remove provisioning packages. @@ -13616,26 +15076,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Security/AntiTheftMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -13648,26 +15116,34 @@ SKU Support: - 0 – Don't allow Anti Theft Mode. - 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent). - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -13682,26 +15158,34 @@ SKU Support: - 0 (default) – Encryption enabled. - 1 – Encryption disabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Security/RequireDeviceEncryption** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck markcheck mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**. @@ -13718,27 +15202,34 @@ SKU Support: > [!IMPORTANT] > If encryption has been enabled, it cannot be turned off by using this policy. - - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Security/RequireProvisioningPackageSignature** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether provisioning packages must have a certificate signed by a device trusted authority. @@ -13747,26 +15238,34 @@ SKU Support: - 0 (default) – Not required. - 1 – Required. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Security/RequireRetrieveHealthCertificateOnBoot** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. @@ -13786,26 +15285,34 @@ SKU Support:

    Most restricted value is 1. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowAutoPlay** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -13821,27 +15328,34 @@ SKU Support: > [!NOTE] > Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowDataSense** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the user to change Data Sense settings. @@ -13850,26 +15364,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowDateTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the user to change date and time settings. @@ -13878,26 +15400,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowEditDeviceName** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcross markcross markcheck mark1check mark1
    + +

    Allows editing of the device name. @@ -13906,26 +15436,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: No -- Education: No -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowLanguage** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -13938,26 +15476,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowPowerSleep** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -13970,26 +15516,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowRegion** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -14002,26 +15556,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowSignInOptions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -14034,26 +15596,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowVPN** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows the user to change VPN settings. @@ -14062,26 +15632,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowWorkplace** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -14094,26 +15672,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/AllowYourAccount** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows user to change account settings. @@ -14122,26 +15708,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/ConfigureTaskbarCalendar** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. @@ -14152,27 +15746,34 @@ SKU Support: - 2 - Simplified Chinese (Lunar). - 3 - Traditional Chinese (Lunar). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Settings/PageVisibilityList** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. @@ -14206,27 +15807,34 @@ SKU Support: 2. Configure the policy with the following string: "hide:about". 3. Open System Settings again and verify that the About page is no longer accessible. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **SmartScreen/EnableAppInstallControl** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. @@ -14235,27 +15843,34 @@ SKU Support: - 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. - 1 – Turns on Application Installation Control, allowing users to only install apps from the Store. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **SmartScreen/EnableSmartScreenInShell** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows. @@ -14264,27 +15879,34 @@ SKU Support: - 0 – Turns off SmartScreen in Windows. - 1 – Turns on SmartScreen in Windows. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **SmartScreen/PreventOverrideForFilesInShell** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. @@ -14293,27 +15915,34 @@ SKU Support: - 0 – Employees can ignore SmartScreen warnings and run malicious files. - 1 – Employees cannot ignore SmartScreen warnings and run malicious files. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Speech/AllowSpeechModelUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    check mark1check mark1check mark1check mark1check mark1check mark1
    + +

    Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). @@ -14322,26 +15951,34 @@ SKU Support: - 0 – Not allowed. - 1 (default) – Allowed. - - - - -SKU Support: -- Home: Yes -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Start/ForceStartSize** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -14357,22 +15994,7 @@ SKU Support:

    If there is policy configuration conflict, the latest configuration request is applied to the device. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Start/HideAppList** @@ -14397,9 +16019,6 @@ SKU Support: - 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. - 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out. - - - @@ -14418,9 +16037,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the user tile, and verify that "Change account settings" is not available. - - - @@ -14446,9 +16062,6 @@ SKU Support: 5. Check that "Show most used apps" Settings toggle is grayed out. 6. Check that most used apps do not appear in Start. - - - @@ -14470,9 +16083,6 @@ SKU Support: > [!NOTE] > This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's. - - - @@ -14491,9 +16101,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the user tile, and verify "Lock" is not available. - - - @@ -14515,9 +16122,6 @@ SKU Support: 1. Enable policy. 2. Open Start, and verify the power button is not available. - - - @@ -14546,9 +16150,6 @@ SKU Support: 8. Repeat Step 2. 9. Right Click pinned photos app and verify that there is no jumplist of recent items. - - - @@ -14574,9 +16175,6 @@ SKU Support: 5. Check that "Show recently added apps" Settings toggle is grayed out. 6. Check that recently added apps do not appear in Start. - - - @@ -14595,9 +16193,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available. - - - @@ -14616,9 +16211,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available. - - - @@ -14637,9 +16229,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the user tile, and verify "Sign out" is not available. - - - @@ -14658,9 +16247,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the Power button, and verify that "Sleep" is not available. - - - @@ -14679,9 +16265,6 @@ SKU Support: 1. Enable policy. 2. Open Start, click on the user tile, and verify that "Switch account" is not available. - - - @@ -14704,9 +16287,6 @@ SKU Support: 2. Log off. 3. Log in, and verify that the user tile is gone from Start. - - - @@ -14730,9 +16310,6 @@ SKU Support: 3. Sign out/in. 4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. - - - @@ -14754,14 +16331,34 @@ SKU Support: 4. Open Start and right click on one of the app list icons. 5. Verify that More->Pin to taskbar menu does not show. - - - **Start/StartLayout** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcross markcheck markcheck markcross markcross mark
    + + > [!IMPORTANT] > This node is set on a per-user basis and must be accessed using the following paths: @@ -14778,22 +16375,7 @@ SKU Support:

    This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic. - - - - -SKU Support: -- Home: No -- Pro: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Storage/EnhancedStorageDevices** @@ -14805,8 +16387,6 @@ If you enable this policy setting, Windows will not activate unactivated Enhance If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. - - ADMX Info: @@ -14820,6 +16400,29 @@ ADMX Info: **System/AllowBuildPreview** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + + > [!NOTE] > This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. @@ -14835,26 +16438,34 @@ ADMX Info: - 1 – Allowed. Users can make their devices available for downloading and installing preview software. - 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowEmbeddedMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether set general purpose device to be in embedded mode. @@ -14865,25 +16476,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **System/AllowExperimentation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + + > [!NOTE] > This policy is not supported in Windows 10, version 1607. @@ -14898,26 +16518,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowFontProviders** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. @@ -14937,26 +16565,34 @@ SKU Support: - After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes - - **System/AllowLocation** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow app access to the Location service. @@ -14974,26 +16610,34 @@ SKU Support:

    For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowStorageCard** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. @@ -15004,26 +16648,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **System/AllowTelemetry** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allow the device to send diagnostic and usage telemetry data, such as Watson. @@ -15089,26 +16741,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/AllowUserToResetPhone** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. @@ -15119,22 +16779,7 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/BootStartDriverInitialization** @@ -15142,8 +16787,6 @@ SKU Support: N/A - - ADMX Info: @@ -15157,6 +16800,29 @@ ADMX Info: **System/DisableOneDriveFileSync** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: @@ -15179,23 +16845,7 @@ ADMX Info: 2. Restart machine. 3. Verify that OneDrive.exe is not running in Task Manager. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **System/DisableSystemRestore** @@ -15213,8 +16863,6 @@ If you disable or do not configure this policy setting, users can perform System Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. - - ADMX Info: @@ -15228,31 +16876,62 @@ ADMX Info: **System/TelemetryProxy** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.

    If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **TextInput/AllowIMELogging** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15267,26 +16946,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowIMENetworkAccess** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15301,26 +16988,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowInputPanel** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15335,26 +17030,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowJapaneseIMESurrogatePairCharacters** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15369,26 +17072,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowJapaneseIVSCharacters** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15403,26 +17114,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowJapaneseNonPublishingStandardGlyph** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15437,26 +17156,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowJapaneseUserDictionary** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15471,26 +17198,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowKeyboardTextSuggestions** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15510,23 +17245,7 @@ SKU Support: 2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. 3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/AllowKoreanExtendedHanja** @@ -15534,14 +17253,34 @@ SKU Support:

    This policy has been deprecated. - - - **TextInput/AllowLanguageFeaturesUninstall** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15556,26 +17295,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/ExcludeJapaneseIMEExceptJIS0208** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15588,26 +17335,34 @@ SKU Support: - 0 (default) – No characters are filtered. - 1 – All characters except JIS0208 are filtered. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15620,26 +17375,34 @@ SKU Support: - 0 (default) – No characters are filtered. - 1 – All characters except JIS0208 and EUDC are filtered. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TextInput/ExcludeJapaneseIMEExceptShiftJIS** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -15652,22 +17415,7 @@ SKU Support: - 0 (default) – No characters are filtered. - 1 – All characters except ShiftJIS are filtered. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **TimeLanguageSettings/AllowSet24HourClock** @@ -15680,14 +17428,34 @@ SKU Support: - 0 – Locale default setting. - 1 (default) – Set 24 hour clock. - - - **Update/ActiveHoursEnd** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15702,22 +17470,7 @@ SKU Support:

    The default is 17 (5 PM). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/ActiveHoursMaxRange** @@ -15733,14 +17486,34 @@ SKU Support:

    The default value is 18 (hours). - - - **Update/ActiveHoursStart** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15755,26 +17528,34 @@ SKU Support:

    The default value is 8 (8 AM). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/AllowAutoUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15799,26 +17580,34 @@ SKU Support:

    If the policy is not configured, end-users get the default behavior (Auto install and restart). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/AllowMUUpdateService** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education @@ -15831,26 +17620,34 @@ SKU Support: - 0 – Not allowed or not configured. - 1 – Allowed. Accepts updates received through Microsoft Update. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/AllowNonMicrosoftSignedUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15867,26 +17664,34 @@ SKU Support:

    This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/AllowUpdateService** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15906,23 +17711,7 @@ SKU Support: > [!NOTE] > This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/AutoRestartNotificationSchedule** @@ -15938,9 +17727,6 @@ SKU Support:

    The default value is 15 (minutes). - - - @@ -15958,14 +17744,34 @@ SKU Support: - 1 (default) – Auto Dismissal. - 2 – User Dismissal. - - - **Update/BranchReadinessLevel** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -15978,26 +17784,34 @@ SKU Support: - 16 (default) – User gets all applicable upgrades from Current Branch (CB). - 32 – User gets upgrades from Current Branch for Business (CBB). - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/DeferFeatureUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. @@ -16010,26 +17824,34 @@ SKU Support: > [!IMPORTANT] > The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/DeferQualityUpdatesPeriodInDays** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16039,26 +17861,34 @@ SKU Support:

    Supported values are 0-30. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/DeferUpdatePeriod** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16130,27 +17960,34 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/DeferUpgradePeriod** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. @@ -16168,46 +18005,38 @@ SKU Support:

    If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/DetectionFrequency** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/EngagedRestartDeadline** @@ -16223,9 +18052,6 @@ SKU Support:

    The default value is 0 days (not specified). - - - @@ -16242,9 +18068,6 @@ SKU Support:

    The default value is 3 days. - - - @@ -16261,14 +18084,34 @@ SKU Support:

    The default value is 7 days. - - - **Update/ExcludeWUDriversInQualityUpdate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. @@ -16281,27 +18124,34 @@ SKU Support: - 0 (default) – Allow Windows Update drivers. - 1 – Exclude Windows Update drivers. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/FillEmptyContentUrls** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2cross markcheck mark2check mark2cross markcross mark
    + +

    Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). @@ -16313,27 +18163,34 @@ SKU Support: - 0 (default) – Disabled. - 1 – Enabled. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: No -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/IgnoreMOAppDownloadLimit** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -16355,28 +18212,34 @@ SKU Support: 3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/IgnoreMOUpdateDownloadLimit** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. @@ -16396,28 +18259,34 @@ SKU Support: 3. Verify that any downloads that are above the download size limit will complete without being paused. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseDeferrals** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16436,26 +18305,34 @@ SKU Support:

    If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseFeatureUpdates** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. @@ -16469,51 +18346,67 @@ SKU Support: - 0 (default) – Feature Updates are not paused. - 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseFeatureUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.

    Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseQualityUpdates** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcheck mark1
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16525,51 +18418,67 @@ SKU Support: - 0 (default) – Quality Updates are not paused. - 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/PauseQualityUpdatesStartTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.

    Value type is string. Supported operations are Add, Get, Delete, and Replace. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/RequireDeferUpgrade** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16584,26 +18493,34 @@ SKU Support: - 0 (default) – User gets upgrades from Current Branch. - 1 – User gets upgrades from Current Branch for Business. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/RequireUpdateApproval** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16623,22 +18540,7 @@ SKU Support: - 0 – Not configured. The device installs all applicable updates. - 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/ScheduleImminentRestartWarning** @@ -16654,9 +18556,6 @@ SKU Support:

    The default value is 15 (minutes). - - - @@ -16673,14 +18572,34 @@ SKU Support:

    The default value is 4 (hours). - - - **Update/ScheduledInstallDay** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16703,26 +18622,34 @@ SKU Support: - 6 – Friday - 7 – Saturday - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/ScheduledInstallTime** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16738,22 +18665,7 @@ SKU Support:

    The default value is 3. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/SetAutoRestartNotificationDisable** @@ -16770,14 +18682,34 @@ SKU Support: - 0 (default) – Enabled - 1 – Disabled - - - **Update/SetEDURestart** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcheck mark2
    + +

    Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. @@ -16786,27 +18718,34 @@ SKU Support: - 0 - not configured - 1 - configured - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Update/UpdateServiceUrl** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcross markcheck mark
    + + > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -16841,26 +18780,34 @@ Example ``` - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Update/UpdateServiceUrlAlternate** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + + > **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. @@ -16877,22 +18824,7 @@ SKU Support: > If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. > This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WiFi/AllowWiFiHotSpotReporting** @@ -16900,14 +18832,34 @@ SKU Support:

    This policy has been deprecated. - - - **Wifi/AllowAutoConnectToWiFiSenseHotspots** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allow or disallow the device to automatically connect to Wi-Fi hotspots. @@ -16918,26 +18870,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Wifi/AllowInternetSharing** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allow or disallow internet sharing. @@ -16948,26 +18908,34 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Wifi/AllowManualWiFiConfiguration** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check markcheck mark
    + +

    Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. @@ -16981,27 +18949,34 @@ SKU Support: > [!NOTE] > Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. - - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **Wifi/AllowWiFi** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1check markcheck mark
    + +

    Allow or disallow WiFi connection. @@ -17012,53 +18987,68 @@ SKU Support:

    Most restricted value is 0. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): Yes - - **Wifi/AllowWiFiDirect** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. Allow WiFi Direct connection.. - 0 - WiFi Direct connection is not allowed. - 1 - WiFi Direct connection is allowed. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **Wifi/WLANScanMode** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + +

    Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. @@ -17068,26 +19058,34 @@ SKU Support:

    Supported operations are Add, Delete, Get, and Replace. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. @@ -17096,26 +19094,34 @@ SKU Support: - 0 - app suggestions are not allowed. - 1 (default) -allow app suggestions. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WindowsInkWorkspace/AllowWindowsInkWorkspace** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. @@ -17125,22 +19131,7 @@ SKU Support: - 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. - 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WindowsLogon/DisableLockScreenAppNotifications** @@ -17152,8 +19143,6 @@ If you enable this policy setting, no app notifications are displayed on the loc If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. - - ADMX Info: @@ -17174,8 +19163,6 @@ If you enable this policy setting, the PC's network connectivity state cannot be If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. - - ADMX Info: @@ -17189,6 +19176,29 @@ ADMX Info: **WindowsLogon/HideFastUserSwitching** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2cross markcross mark
    + +

    Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. @@ -17202,80 +19212,102 @@ ADMX Info: 1. Enable policy. 2. Verify that the Switch account button in Start is hidden. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionFromPC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC. - 0 - your PC cannot discover or project to other devices. - 1 - your PC can discover and project to other devices - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionFromPCOverInfrastructure** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure. - 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. - 1 - your PC can discover and project to other devices over infrastructure. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionToPC** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC. @@ -17286,49 +19318,41 @@ SKU Support: - 0 - projection to PC is not allowed. Always off and the user cannot enable it. - 1 (default) - projection to PC is allowed. Enabled only above the lock screen. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowProjectionToPCOverInfrastructure** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
    + +

    Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure. - 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. - 1 - your PC is discoverable and other devices can project to it over infrastructure. - - - - -SKU Support: -- Home: No -- Pro: Yes -- Business: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: Yes -- Mobile Enterprise: Yes -- IoT Core: Yes -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** @@ -17336,19 +19360,34 @@ SKU Support:

    Added in Windows 10, version 1703. - - - - -SKU Support: -- Can be set using Exchange Active Sync (EAS): No - - **WirelessDisplay/RequirePinForPairing** + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobileEnterprise
    cross markcheck mark1check mark1check mark1cross markcross mark
    + +

    Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing. @@ -17359,25 +19398,91 @@ SKU Support: - 0 (default) - PIN is not required. - 1 - PIN is required. - - - -SKU Support: -- Home: No -- Pro: Yes -- Enterprise: Yes -- Education: Yes -- Mobile: No -- Mobile Enterprise: No -- IoT Core: No -- Can be set using Exchange Active Sync (EAS): No - -

    + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. + + +## IoT Core Support + +[ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) +[Authentication/AllowFastReconnect](#authentication-allowfastreconnect) +[Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) +[Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) +[Bluetooth/LocalDeviceName](#bluetooth-localdevicename) +[Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) +[Browser/AllowAutofill](#browser-allowautofill) +[Browser/AllowBrowser](#browser-allowbrowser) +[Browser/AllowCookies](#browser-allowcookies) +[Browser/AllowDoNotTrack](#browser-allowdonottrack) +[Browser/AllowInPrivate](#browser-allowinprivate) +[Browser/AllowPasswordManager](#browser-allowpasswordmanager) +[Browser/AllowPopups](#browser-allowpopups) +[Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) +[Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) +[Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) +[Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) +[Camera/AllowCamera](#camera-allowcamera) +[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +[Connectivity/AllowNFC](#connectivity-allownfc) +[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +[Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) +[Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) +[DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) +[Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) +[Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) +[Security/RequireDeviceEncryption](#security-requiredeviceencryption) +[Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) +[System/AllowEmbeddedMode](#system-allowembeddedmode) +[System/AllowStorageCard](#system-allowstoragecard) +[System/TelemetryProxy](#system-telemetryproxy) +[Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) +[Update/AllowUpdateService](#update-allowupdateservice) +[Update/PauseDeferrals](#update-pausedeferrals) +[Update/RequireDeferUpgrade](#update-requiredeferupgrade) +[Update/RequireUpdateApproval](#update-requireupdateapproval) +[Update/ScheduledInstallDay](#update-scheduledinstallday) +[Update/ScheduledInstallTime](#update-scheduledinstalltime) +[Update/UpdateServiceUrl](#update-updateserviceurl) +[Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots) +[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +[Wifi/AllowWiFi](#wifi-allowwifi) +[Wifi/WLANScanMode](#wifi-wlanscanmode) + + + +## Can be set using Exchange Active Sync (EAS) + +[Browser/AllowBrowser](#browser-allowbrowser) +[Camera/AllowCamera](#camera-allowcamera) +[Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +[Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +[Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +[DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +[DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +[DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +[DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) +[DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +[DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +[DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +[DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +[DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +[Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +[Security/RequireDeviceEncryption](#security-requiredeviceencryption) +[System/AllowStorageCard](#system-allowstoragecard) +[System/TelemetryProxy](#system-telemetryproxy) +[Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +[Wifi/AllowWiFi](#wifi-allowwifi) + + ## Examples diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index efa0e89be6..3a2d11e3db 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -3,7 +3,6 @@ title: Policy DDF file description: Policy DDF file ms.assetid: D90791B5-A772-4AF8-B058-5D566865AF8D ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md index 2cb168e938..8124940a17 100644 --- a/windows/client-management/mdm/policymanager-csp.md +++ b/windows/client-management/mdm/policymanager-csp.md @@ -3,7 +3,6 @@ title: PolicyManager CSP description: PolicyManager CSP ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index f61493284d..9ae10f0f2c 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -3,7 +3,6 @@ title: Provisioning CSP description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. ms.assetid: 5D6C17BE-727A-4AFA-9F30-B34C1EA1D2AE ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md index 232c24c577..65e4ceb727 100644 --- a/windows/client-management/mdm/proxy-csp.md +++ b/windows/client-management/mdm/proxy-csp.md @@ -3,7 +3,6 @@ title: PROXY CSP description: PROXY CSP ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index f1a3ecd178..e34d5f94f2 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' ms.assetid: 9031C4FE-212A-4481-A1B0-4C3190B388AE ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index c3f87cc0b1..d3391b6066 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -3,7 +3,6 @@ title: PXLOGICAL configuration service provider description: PXLOGICAL configuration service provider ms.assetid: b5fc84d4-aa32-4edd-95f1-a6a9c0feb459 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index cfad2ad6cc..6180829e89 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -3,7 +3,6 @@ title: Reboot CSP description: Reboot CSP ms.assetid: 4E3F1225-BBAD-40F5-A1AB-FF221B6BAF48 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 67009f2c73..714d7255ec 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -3,7 +3,6 @@ title: Reboot DDF file description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: ABBD850C-E744-462C-88E7-CA3F43D80DB1 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index d24704702f..ee5bc80e60 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -3,7 +3,6 @@ title: Reclaim seat from user description: The Reclaim seat from user operation returns reclaimed seats for a user in the Windows Store for Business. ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md index 8002c63f93..344a2176e6 100644 --- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -3,7 +3,6 @@ title: Register your free Azure Active Directory subscription description: If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. ms.assetid: 97DCD303-BB11-4AFF-84FE-B7F14CDF64F7 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md index 7c76304899..3874d0f2d7 100644 --- a/windows/client-management/mdm/registry-csp.md +++ b/windows/client-management/mdm/registry-csp.md @@ -3,7 +3,6 @@ title: Registry CSP description: Registry CSP ms.assetid: 2307e3fd-7b61-4f00-94e1-a639571f2c9d ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/registry-ddf-file.md b/windows/client-management/mdm/registry-ddf-file.md index 8d7b6f0437..5ee429e5ca 100644 --- a/windows/client-management/mdm/registry-ddf-file.md +++ b/windows/client-management/mdm/registry-ddf-file.md @@ -3,7 +3,6 @@ title: Registry DDF file description: Registry DDF file ms.assetid: 29b5cc07-f349-4567-8a77-387d816a9d15 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index a0b0394e85..29447d3ed2 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -3,7 +3,6 @@ title: RemoteFind CSP description: The RemoteFind configuration service provider retrieves the location information for a particular device. ms.assetid: 2EB02824-65BF-4B40-A338-672D219AF5A0 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md index 39ef5ef10c..c30856f87d 100644 --- a/windows/client-management/mdm/remotefind-ddf-file.md +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -3,7 +3,6 @@ title: RemoteFind DDF file description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: 5864CBB8-2030-459E-BCF6-9ACB69206FEA ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index 60ace9895a..1ac58b24af 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -3,7 +3,6 @@ title: RemoteLock CSP description: RemoteLock CSP ms.assetid: c7889331-5aa3-4efe-9a7e-20d3f433659b ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/remotelock-ddf-file.md b/windows/client-management/mdm/remotelock-ddf-file.md index 3c6aa51b8e..1f09e6508c 100644 --- a/windows/client-management/mdm/remotelock-ddf-file.md +++ b/windows/client-management/mdm/remotelock-ddf-file.md @@ -3,7 +3,6 @@ title: RemoteLock DDF file description: RemoteLock DDF file ms.assetid: A301AE26-1BF1-4328-99AB-1ABBA4960797 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md index 16d8944f56..4f16070cb7 100644 --- a/windows/client-management/mdm/remotering-csp.md +++ b/windows/client-management/mdm/remotering-csp.md @@ -3,7 +3,6 @@ title: RemoteRing CSP description: RemoteRing CSP ms.assetid: 70015243-c07f-46cb-a0f9-4b4ad13a5609 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/remotering-ddf-file.md b/windows/client-management/mdm/remotering-ddf-file.md index 14c6e86853..8d690e645e 100644 --- a/windows/client-management/mdm/remotering-ddf-file.md +++ b/windows/client-management/mdm/remotering-ddf-file.md @@ -3,7 +3,6 @@ title: RemoteRing DDF file description: This topic shows the OMA DM device description framework (DDF) for the RemoteRing configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: 6815267F-212B-4370-8B72-A457E8000F7B ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index fdc42fcd79..81a742eab8 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -3,7 +3,6 @@ title: RemoteWipe CSP description: RemoteWipe CSP ms.assetid: 6e89bd37-7680-4940-8a67-11ed062ffb70 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index 4ef0e34483..fa91cdb835 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -3,7 +3,6 @@ title: RemoteWipe DDF file description: RemoteWipe DDF file ms.assetid: 10ec4fb7-f911-4d0c-9a8f-e96bf5faea0c ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index 0137e3097f..83d3d3f5b5 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -3,7 +3,6 @@ title: Reporting CSP description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. ms.assetid: 148441A6-D9E1-43D8-ADEE-FB62E85A39F7 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md index a89ce96efd..ff3de3aab3 100644 --- a/windows/client-management/mdm/reporting-ddf-file.md +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -3,7 +3,6 @@ title: Reporting DDF file description: This topic shows the OMA DM device description framework (DDF) for the Reporting configuration service provider. This CSP was added in Windows 10, version 1511. Support for desktop security auditing was added for the desktop in Windows 10, version 1607. ms.assetid: 7A5B79DB-9571-4F7C-ABED-D79CD08C1E35 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md index 77b01bb174..87ad349555 100644 --- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' ms.assetid: 8C48A879-525A-471F-B0FD-506E743A7D2F ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index f22a21bbca..ae0852dd78 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -3,7 +3,6 @@ title: RootCATrustedCertificates CSP description: RootCATrustedCertificates CSP ms.assetid: F2F25DEB-9DB3-40FB-BC3C-B816CE470D61 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index e44b75f35f..e825e38ead 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -3,7 +3,6 @@ title: RootCATrustedCertificates DDF file description: RootCATrustedCertificates DDF file ms.assetid: 06D8787B-D3E1-4D4B-8A21-8045A8F85C1C ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md b/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md index ee300806d6..8ab213e4cf 100644 --- a/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md +++ b/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md @@ -3,7 +3,6 @@ title: Samples for writing a custom configuration service provider description: Samples for writing a custom configuration service provider ms.assetid: ccda4d62-7ce1-483b-912f-25d50c974270 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 3fbe5c4934..8f671e0d21 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -3,7 +3,6 @@ title: SecureAssessment CSP description: SecureAssessment CSP ms.assetid: 6808BE4B-961E-4638-BF15-FD7841D1C00A ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index bd7735f020..57601f53e0 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -3,7 +3,6 @@ title: SecureAssessment DDF file description: This topic shows the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: 68D17F2A-FAEA-4608-8727-DBEC1D7BE48A ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 136c194750..28e87b7c43 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -3,7 +3,6 @@ title: SecurityPolicy CSP description: SecurityPolicy CSP ms.assetid: 6014f8fe-f91b-49f3-a357-bdf625545bc9 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md index f246e7d55f..0ced05ef07 100644 --- a/windows/client-management/mdm/server-requirements-windows-mdm.md +++ b/windows/client-management/mdm/server-requirements-windows-mdm.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' ms.assetid: 5b90b631-62a6-4949-b53a-01275fd304b2 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index 87be3f9d46..e8b16b4a18 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -3,7 +3,6 @@ title: SharedPC CSP description: SharedPC CSP ms.assetid: 31273166-1A1E-4F96-B176-CB42ECB80957 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index 5eae914295..e666ac45e9 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -3,7 +3,6 @@ title: SharedPC DDF file description: SharedPC DDF file ms.assetid: 70234197-07D4-478E-97BB-F6C651C0B970 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md index fd4bad420f..e383685013 100644 --- a/windows/client-management/mdm/storage-csp.md +++ b/windows/client-management/mdm/storage-csp.md @@ -3,7 +3,6 @@ title: Storage CSP description: Storage CSP ms.assetid: b19bdb54-53ed-42ce-a5a1-269379013f57 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index 66b26271dd..2cf0a17551 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -3,7 +3,6 @@ title: Storage DDF file description: Storage DDF file ms.assetid: 247062A3-4DFB-4B14-A3D1-68D02C27703C ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md index 1f660e0871..031e69f53b 100644 --- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -3,7 +3,6 @@ title: Structure of OMA DM provisioning files description: Structure of OMA DM provisioning files ms.assetid: 7bd3ef57-c76c-459b-b63f-c5a333ddc2bc ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index e31b753df9..150ca95701 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -3,7 +3,6 @@ title: SUPL CSP description: SUPL CSP ms.assetid: afad0120-1126-4fc5-8e7a-64b9f2a5eae1 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 1ef676128e..266c2dcaf6 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -3,7 +3,6 @@ title: SUPL DDF file description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider. ms.assetid: 514B7854-80DC-4ED9-9805-F5276BF38034 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 68d78164bc..f751e53b34 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -3,7 +3,6 @@ title: SurfaceHub CSP description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. ms.assetid: 36FBBC32-AD6A-41F1-86BF-B384891AA693 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index de0c0b9fa8..590539f3bb 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -3,7 +3,6 @@ title: SurfaceHub DDF file description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511. ms.assetid: D34DA1C2-09A2-4BA3-BE99-AC483C278436 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index e2329c9d3a..a308149484 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -2,7 +2,6 @@ title: Understanding ADMX-backed policies description: Starting in Windows 10, version 1703, you can use ADMX-backed policies for Windows 10 mobile device management (MDM) across Windows 10 devices. ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index f90d37f542..8ef347d5c5 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -3,7 +3,6 @@ title: UnifiedWriteFilter CSP description: The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type. ms.assetid: F4716AC6-0AA5-4A67-AECE-E0F200BA95EB ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md index bef19ee495..ae3e8f02e5 100644 --- a/windows/client-management/mdm/unifiedwritefilter-ddf.md +++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md @@ -3,7 +3,6 @@ title: UnifiedWriteFilter DDF File description: UnifiedWriteFilter DDF File ms.assetid: 23A7316E-A298-43F7-9407-A65155C8CEA6 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index f07b5f46ae..61923798e2 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -3,7 +3,6 @@ title: Update CSP description: Update CSP ms.assetid: F1627B57-0749-47F6-A066-677FDD3D7359 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index 558969ab44..a7617b44d2 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -3,7 +3,6 @@ title: Update DDF file description: Update DDF file ms.assetid: E236E468-88F3-402A-BA7A-834ED38DD388 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md index dba9ea2559..8eda2844e1 100644 --- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -3,7 +3,6 @@ title: Using PowerShell scripting with the WMI Bridge Provider description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the WMI Bridge Provider. ms.assetid: 238D45AD-3FD8-46F9-B7FB-6AEE42BE4C08 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 9586f036df..7310156f21 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -3,7 +3,6 @@ title: VPN CSP description: VPN CSP ms.assetid: 05ca946a-1c0b-4e11-8d7e-854e14740707 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index b7df473e8d..d5e1303442 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -3,7 +3,6 @@ title: VPN DDF file description: VPN DDF file ms.assetid: 728FCD9C-0B8E-413B-B54A-CD72C9F2B9EE ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 3f35c408f3..5b48d34a09 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -3,7 +3,6 @@ title: VPNv2 CSP description: VPNv2 CSP ms.assetid: 51ADA62E-1EE5-4F15-B2AD-52867F5B2AD2 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index 822775ffd1..b91f59555f 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -3,7 +3,6 @@ title: VPNv2 DDF file description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider. ms.assetid: 4E2F36B7-D2EE-4F48-AD1A-6BDE7E72CC94 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 0bb5af26eb..8099da7143 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -3,7 +3,6 @@ title: ProfileXML XSD description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. ms.assetid: 2F32E14B-F9B9-4760-AE94-E57F1D4DFDB3 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 6811665979..1559b6350d 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -3,7 +3,6 @@ title: w4 APPLICATION CSP description: w4 APPLICATION CSP ms.assetid: ef42b82a-1f04-49e4-8a48-bd4e439fc43a ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 759687bbaa..cc931c7f9a 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -3,7 +3,6 @@ title: w7 APPLICATION CSP description: w7 APPLICATION CSP ms.assetid: 10f8aa16-5c89-455d-adcd-d7fb45d4e768 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index dfce51cf8b..d1ed9593eb 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -3,7 +3,6 @@ title: WiFi CSP description: WiFi CSP ms.assetid: f927cb5f-9555-4029-838b-03fb68937f06 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index b2c92b66c4..4443fab25f 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -3,7 +3,6 @@ title: WiFi DDF file description: WiFi DDF file ms.assetid: 00DE1DA7-23DE-4871-B3F0-28EB29A62D61 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index a695c95c42..3cfa5fbda0 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -2,7 +2,6 @@ title: Win32 and Desktop Bridge app policy configuration description: Starting in Windows 10, version 1703, you can import ADMX files and set those ADMX-backed policies for Win32 and Desktop Bridge apps. ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows @@ -25,8 +24,27 @@ author: nickbrower Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. -When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys. +When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations: +- Software\Policies\Microsoft\Office\ +- Software\Microsoft\Office\ +- Software\Microsoft\Windows\CurrentVersion\Explorer\ +- Software\Microsoft\Internet Explorer\ +- software\policies\microsoft\shared tools\proofing tools\ +- software\policies\microsoft\imejp\ +- software\policies\microsoft\ime\shared\ +- software\policies\microsoft\shared tools\graphics filters\ +- software\policies\microsoft\windows\currentversion\explorer\ +- software\policies\microsoft\softwareprotectionplatform\ +- software\policies\microsoft\officesoftwareprotectionplatform\ +- software\policies\microsoft\windows\windows search\preferences\ +- software\policies\microsoft\exchange\ +- software\microsoft\shared tools\proofing tools\ +- software\microsoft\shared tools\graphics filters\ +- software\microsoft\windows\windows search\preferences\ +- software\microsoft\exchange\ +- software\policies\microsoft\vba\security\ +- software\microsoft\onedrive ## Ingesting an app ADMX file diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index fac6fa087b..935df946c0 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -3,7 +3,6 @@ title: Win32AppInventory CSP description: Win32AppInventory CSP ms.assetid: C0DEDD51-4EAD-4F8E-AEE2-CBE9658BCA22 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index 6f1be614a7..97eafeb66c 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -3,7 +3,6 @@ title: Win32AppInventory DDF file description: Win32AppInventory DDF file ms.assetid: F6BCC10B-BFE4-40AB-AEEE-34679A4E15B0 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index c65557756b..51943be64f 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' ms.assetid: 92711D65-3022-4789-924B-602BE3187E23 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index c9a912cf37..bced249094 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -3,7 +3,6 @@ title: WindowsAdvancedThreatProtection CSP description: WindowsAdvancedThreatProtection CSP ms.assetid: 6C3054CA-9890-4C08-9DB6-FBEEB74699A8 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index 91edc0dc54..135648a616 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -3,7 +3,6 @@ title: WindowsAdvancedThreatProtection DDF file description: WindowsAdvancedThreatProtection DDF file ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 50477abddc..bdc1b02533 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -3,7 +3,6 @@ title: WindowsLicensing CSP description: WindowsLicensing CSP ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 57596d4082..5ac78fc98d 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -3,7 +3,6 @@ title: WindowsLicensing DDF file description: WindowsLicensing DDF file ms.assetid: 2A24C922-A167-4CEE-8F74-08E7453800D2 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md index 6469cc2ead..686a058d93 100644 --- a/windows/client-management/mdm/windowssecurityauditing-csp.md +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -3,7 +3,6 @@ title: WindowsSecurityAuditing CSP description: The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511. ms.assetid: 611DF7FF-21CE-476C-AAB5-3D09C1CDF08A ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md index 0516beed40..cd9ef72d61 100644 --- a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md +++ b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md @@ -3,7 +3,6 @@ title: WindowsSecurityAuditing DDF file description: This topic shows the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider. This CSP was added in Windows 10, version 1511. ms.assetid: B1F9A5FA-185B-48C6-A7F4-0F0F23B971F0 ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index a52244e200..ade8ecd858 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -6,7 +6,6 @@ MS-HAID: - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' ms.assetid: 7D533044-AAD7-4B8F-B71B-9D52C15A168A ms.author: maricia -ms.date: 05/02/2017 ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index adf99d68fe..8a06655003 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -122,6 +122,9 @@ When you have the Start layout that you want your users to see, use the [Export- +>[!IMPORTANT] +>If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. + ## Configure a partial Start layout diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md index 33a512ae37..4c7a24ae08 100644 --- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md +++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md @@ -15,7 +15,7 @@ author: jdeckerms Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. -When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. +When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm). The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md). diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index c103eb3576..40ccf85845 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -160,35 +160,40 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap - By using a path to a shortcut link (.lnk file) to a Windows desktop application. - To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. + >[!NOTE] + >In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in. - The following example shows how to pin the Command Prompt: + To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. - ```XML - - ``` + ``` - You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables. + You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables. - If you are pointing to a third-party Windows desktop application, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\". + If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\". - By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option. - To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. + You can use the [Get-StartApps cmdlet](https://technet.microsoft.com/library/dn283402.aspx) on a PC that has the application pinned to Start to obtain the app ID. - The following example shows how to pin the Internet Explorer Windows desktop application: + To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. - ```XML + The following example shows how to pin the Internet Explorer Windows desktop application: + + ```XML - ``` + ``` You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile. @@ -205,6 +210,9 @@ The following example shows how to create a tile of the Web site's URL, which yo Column="2"/> ``` +>[!NOTE] +>In Windows 10, version 1703, **Export-StartLayout** will use **DesktopApplicationLinkPath** for the .url shortcut. You must change **DesktopApplicationLinkPath** to **DesktopApplicationID** and provide the URL. + #### start:SecondaryTile You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag). @@ -273,6 +281,9 @@ The following example shows how to modify your LayoutModification.xml file to ad You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start. +>[!NOTE] +>The OEM must have installed Office for this tag to work. + The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start: ```XML @@ -289,6 +300,9 @@ The following example shows how to add the **AppendOfficeSuite** tag to your Lay You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group. +>[!NOTE] +>The OEM must have installed the Office trial installer for this tag to work. + The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file: ```XML diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index d8b003ff30..5fc6d0a993 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -64,7 +64,7 @@ There are three categories of apps that might be pinned to a taskbar: * Apps pinned by the enterprise, such as in an unattended Windows setup >[!NOTE] - >The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. + >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file. The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index b01537fa06..87134c472f 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -73,16 +73,23 @@ MBR2GPT: Validation completed successfully In the following example: -1. The current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. 2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. 2. The MBR2GPT tool is used to convert disk 0. -3. The DISKPART tool displays that disk 0 is now using the GPT format. +3. The DiskPart tool displays that disk 0 is now using the GPT format. 4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). 5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. >As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. ``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + DISKPART> list volume Volume ### Ltr Label Fs Type Size Status Info @@ -140,7 +147,7 @@ MBR2GPT: Fixing drive letter mapping MBR2GPT: Conversion completed successfully MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! -X:\>diskpart +X:\>DiskPart Microsoft DiskPart version 10.0.15048.0 @@ -364,9 +371,16 @@ You can also view the partition type of a disk by opening the Disk Management to ![Volumes](images/mbr2gpt-volume.PNG) -If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the diskpart tool. To determine the partition style, type **diskpart** and then type **list disk**. See the following example: +If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example: ``` +X:\>DiskPart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + DISKPART> list disk Disk ### Status Size Free Dyn Gpt diff --git a/windows/deployment/update/images/update-compliance-wdav-assessment.png b/windows/deployment/update/images/update-compliance-wdav-assessment.png new file mode 100644 index 0000000000..266c5b7210 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-assessment.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-overview.png b/windows/deployment/update/images/update-compliance-wdav-overview.png new file mode 100644 index 0000000000..977478fb74 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-overview.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-prot-status.png b/windows/deployment/update/images/update-compliance-wdav-prot-status.png new file mode 100644 index 0000000000..2c6c355ca4 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-prot-status.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png new file mode 100644 index 0000000000..733bfb6ae7 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png new file mode 100644 index 0000000000..d914960a7a Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png new file mode 100644 index 0000000000..7d8021b02e Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-filter.png new file mode 100644 index 0000000000..cd500c2cb3 Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-log.png b/windows/deployment/update/images/update-compliance-wdav-status-log.png new file mode 100644 index 0000000000..30e2e2352f Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-log.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-query.png b/windows/deployment/update/images/update-compliance-wdav-status-query.png new file mode 100644 index 0000000000..c7d1a436fe Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-query.png differ diff --git a/windows/deployment/update/images/update-compliance-wdav-threat-status.png b/windows/deployment/update/images/update-compliance-wdav-threat-status.png new file mode 100644 index 0000000000..ada9c09bbf Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-threat-status.png differ diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index f6c1878943..2b42051399 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -10,7 +10,7 @@ author: greg-lindsay # Get started with Update Compliance -This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. +This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. Steps are provided in sections that follow the recommended setup process: 1. Ensure that [prerequisites](#update-compliance-prerequisites) are met. @@ -19,22 +19,25 @@ Steps are provided in sections that follow the recommended setup process: ## Update Compliance Prerequisites -Update Compliance has the following requirements: -1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). -2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). +Update Compliance has the following requirements: +1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). +2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). 3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint: - -
    ServiceEndpoint -
    Connected User Experience and Telemetry componentv10.vortex-win.data.microsoft.com -
    settings-win.data.microsoft.com -
    Windows Error Reporting watson.telemetry.microsoft.com -
    Online Crash Analysis oca.telemetry.microsoft.com -
    + +
    ServiceEndpoint +
    Connected User Experience and Telemetry componentv10.vortex-win.data.microsoft.com +
    settings-win.data.microsoft.com +
    Windows Error Reporting watson.telemetry.microsoft.com +
    Online Crash Analysis oca.telemetry.microsoft.com +
    + +4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV. + ## Add Update Compliance to Microsoft Operations Management Suite -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace. @@ -52,7 +55,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update -3. Create a new OMS workspace. +3. Create a new OMS workspace.

    @@ -76,7 +79,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update -7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace. +7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.

    @@ -100,7 +103,7 @@ After you are subscribed to OMS Update Compliance and your devices have a Commer ## Deploy your Commercial ID to your Windows 10 devices -In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). +In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM). - Using Group Policy

    Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor. @@ -114,4 +117,4 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th ## Related topics -[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) \ No newline at end of file +[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 39d8b0e012..08daf13df1 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -31,7 +31,8 @@ Update Compliance has the following primary blades: 3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status) 4. [Overall Feature Update Status](#overall-feature-update-status) 5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status) -6. [List of Queries](#list-of-queries) +6. [Windows Defender Antivirus Assessment](#wdav-assessment) +7. [List of Queries](#list-of-queries) ## OS Update Overview @@ -41,6 +42,7 @@ The first blade of OMS Update Compliance is the General **OS Update Overview** b ![OS Update Overview](images/uc-11.png) + This blade is divided into three sections: - Device Summary: - Needs Attention Summary @@ -139,6 +141,133 @@ The Overall Feature Update Status blade focuses around whether or not your devic Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.  + +## Windows Defender Antivirus Assessment + +You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot. + +![verview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-overview.png) + +The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues. + +If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions. + +There are two blades in the Windows Defender AV Assessment section: + +- Protection status +- Threats status + +![Windows Defender Antivirus Assessment blade in Update Compliance](images/update-compliance-wdav-assessment.png) + +The **Protection Status** blade shows three key measurements: + +1. How many devices have old or current signatures (also known as protection updates or definitions) +2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection + + +![Windows Defender Antivirus protection status in Update Compliance](images/update-compliance-wdav-prot-status.png) + +See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates. + +The **Threats Status** blade shows the following measurements: + +1. How many devices that have threats that have been remediated (removed or quarantined on the device) +2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required) + + +![Windows Defender Antivirus threat status in Update Compliance](images/update-compliance-wdav-threat-status.png) + +Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated. + +> [!IMPORTANT] +> The data reported in Update Compliance can be delayed by up to 24 hours. + +See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks. + +As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below. + + +### Investigate individual devices and threats + + +Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status. + +![Sample Windows Defender AV query in Update Compliance](images/update-compliance-wdav-status-log.png) + +You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV. + +![Overview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-query-not-assessed.png) + + + + + + + + +You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**. + +![Click the Apply button on the left pane](images/update-compliance-wdav-status-filter-apply.png) + + + +Click **+Add** at the bottom of the filter pane to open a list of filters you can apply. + +![Click Add to add more filters](images/update-compliance-wdav-status-add-filter.png) + + +You can also click the **. . .** button next to each label to instantly filter by that label or value. + +![Click the elipsis icon to instantly filter by the selected label](images/update-compliance-wdav-status-filter.png) + +You can create your own queries by using a query string in the following format: + +``` +Type: