From 64ce542cb728735a9c83b76cf9f84ddc6e01b5f9 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 20 May 2021 14:49:46 +0530 Subject: [PATCH] Update policy-ddf-file.md --- .../client-management/mdm/policy-ddf-file.md | 84516 ---------------- 1 file changed, 84516 deletions(-) diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index de9a8618a9..dde8b3089c 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -32,84519 +32,3 @@ You can view various Policy DDF files by clicking the following links: - [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). - -The XML below is the DDF for Windows 10, version 20H2. - -```xml - -]> - - 1.2 - - Policy - ./User/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/10.0/MDM/Policy - - - - Config - - - - - - - - - - - - - - - - - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePrivateStoreOnly - - - - - - - - - - - - - - - - - - - text/plain - - - - - - AttachmentManager - - - - - - - - - - - - - - - - - - - - - DoNotPreserveZoneInformation - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideZoneInfoMechanism - - - - - - - - - - - - - - - - - - - text/plain - - - - - NotifyAntivirusPrograms - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Authentication - - - - - - - - - - - - - - - - - - - - - AllowEAPCertSSO - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Autoplay - - - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Browser - - - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - - - - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - - - AllowAutofill - - - - - - - - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowBrowser - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowConfigurationUpdateForBooksLibrary - - - - - - - - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - - - AllowCookies - - - - - - - - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - - - AllowDeveloperTools - - - - - - - - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowDoNotTrack - - - - - - - - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - - - AllowExtensions - - - - - - - - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlash - - - - - - - - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlashClickToRun - - - - - - - - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - - - AllowFullScreenMode - - - - - - - - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowInPrivate - - - - - - - - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - - - AllowMicrosoftCompatibilityList - - - - - - - - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - - - AllowPasswordManager - - - - - - - - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - - - AllowPopups - - - - - - - - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - - - AllowPrelaunch - - - - - - - - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowPrinting - - - - - - - - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - - - AllowSavingHistory - - - - - - - - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - - - AllowSearchEngineCustomization - - - - - - - - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - - - AllowSearchSuggestionsinAddressBar - - - - - - - - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSideloadingOfExtensions - - - - - - - - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSmartScreen - - - - - - - - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - - - AllowTabPreloading - - - - - - - - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowWebContentOnNewTabPage - - - - - - - - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - - - AlwaysEnableBooksLibrary - - - - - - - - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - - - ClearBrowsingDataOnExit - - - - - - - - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureAdditionalSearchEngines - - - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - ConfigureFavoritesBar - - - - - - - - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - - - ConfigureHomeButton - - - - - - - - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - - - ConfigureKioskMode - - - - - - - - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureKioskResetAfterIdleTimeout - - - - - - - - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - - - ConfigureOpenMicrosoftEdgeWith - - - - - - - - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - - - - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - - - DisableLockdownOfStartPages - - - - - - - - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - - - EnableExtendedBooksTelemetry - - - - - - - - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - - - EnterpriseModeSiteList - - - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - - - text/plain - - - - - FirstRunURL - - - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - - - - HomePages - - - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - - - - LockdownFavorites - - - - - - - - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - - - - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - PreventCertErrorOverrides - - - - - - - - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - - - PreventFirstRunPage - - - - - - - - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventLiveTileDataCollection - - - - - - - - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverride - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverrideForFiles - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - - - PreventTurningOffRequiredExtensions - - - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - - - - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - - - ProvisionFavorites - - - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - - - - SendIntranetTraffictoInternetExplorer - - - - - - - - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - - - SetDefaultSearchEngine - - - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - SetHomeButtonURL - - - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - - - - SetNewTabPageURL - - - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - - - - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - - - - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - - - UnlockHomeButton - - - - - - - - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - - - UseSharedFolderForBooks - - - - - - - - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Desktop - - - - - - - - - - - - - - - - - - - - - PreventUserRedirectionOfProfileFolders - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Display - - - - - - - - - - - - - - - - - - - - - EnablePerProcessDpi - - - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - - - - Education - - - - - - - - - - - - - - - - - - - - - AllowGraphingCalculator - - - - - - - - This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. - - - - - - - - - - - text/plain - - - - - DefaultPrinterName - - - - - - - - This policy sets user's default printer - - - - - - - - - - - text/plain - - - - - PreventAddingNewPrinters - - - - - - - - Boolean that specifies whether or not to prevent user to install new printers - - - - - - - - - - - text/plain - - - - - PrinterNames - - - - - - - - This policy provisions per-user network printers - - - - - - - - - - - text/plain - - - - - - EnterpriseCloudPrint - - - - - - - - - - - - - - - - - - - - - CloudPrinterDiscoveryEndPoint - - - - - - - - This policy provisions per-user discovery end point to discover cloud printers - - - - - - - - - - - text/plain - - - - - CloudPrintOAuthAuthority - - - - - - - - Authentication endpoint for acquiring OAuth tokens - - - - - - - - - - - text/plain - - - - - CloudPrintOAuthClientId - - - - - - - - A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority - - - - - - - - - - - text/plain - - - - - CloudPrintResourceId - - - - - - - - Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication - - - - - - - - - - - text/plain - - - - - DiscoveryMaxPrinterLimit - - - - - - - - Defines the maximum number of printers that should be queried from discovery end point - - - - - - - - - - - text/plain - - - - - MopriaDiscoveryResourceId - - - - - - - - Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication - - - - - - - - - - - text/plain - - - - - - Experience - - - - - - - - - - - - - - - - - - - - - AllowTailoredExperiencesWithDiagnosticData - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowThirdPartySuggestionsInWindowsSpotlight - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlight - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlightOnActionCenter - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlightOnSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsSpotlightWindowsWelcomeExperience - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureWindowsSpotlightOnLockScreen - - - - - - - - - - - - - - - - - - - text/plain - - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAddOnList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAutoComplete - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableActiveXVersionListAutoDownload - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCompatView - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableGeolocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableHomePageChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProxyChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - - - text/plain - - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - SearchProviderList - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - - - - BlockedUrls - - - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - - - - DefaultURL - - - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - - - - EnableEndSessionButton - - - - - - - - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - - - EnableHomeButton - - - - - - - - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - - - EnableNavigationButtons - - - - - - - - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - - - RestartOnIdleTime - - - - - - - - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - - - - Multitasking - - - - - - - - - - - - - - - - - - - - - BrowserAltTabBlowout - - - - - - - - Configures the inclusion of Edge tabs into Alt-Tab. - - - - - - - - - - - text/plain - - - - - - Notifications - - - - - - - - - - - - - - - - - - - - - DisallowNotificationMirroring - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowTileNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Printers - - - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions_User - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Privacy - - - - - - - - - - - - - - - - - - - - - DisablePrivacyExperience - - - - - - - - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - - - - Security - - - - - - - - - - - - - - - - - - - - - RecoveryEnvironmentAuthentication - - - - - - - - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - - - - Settings - - - - - - - - - - - - - - - - - - - - - ConfigureTaskbarCalendar - - - - - - - - - - - - - - - - - - - text/plain - - - - - PageVisibilityList - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Start - - - - - - - - - - - - - - - - - - - - - DisableContextMenus - - - - - - - - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - - - ForceStartSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideAppList - - - - - - - - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideFrequentlyUsedApps - - - - - - - - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HidePeopleBar - - - - - - - - Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. - - - - - - - - - - - text/plain - - - - - HideRecentJumplists - - - - - - - - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideRecentlyAddedApps - - - - - - - - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - StartLayout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - System - - - - - - - - - - - - - - - - - - - - - AllowTelemetry - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - - - Result - - - - - - - - - - - - - - - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - MSI.admx - MSI~AT~WindowsComponents~MSI - AlwaysInstallElevated - HighestValueMostSecure - - - - RequirePrivateStoreOnly - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - RequirePrivateStoreOnly - HighestValueMostSecure - - - - - AttachmentManager - - - - - - - - - - - - - - - - - - - DoNotPreserveZoneInformation - - - - - - - - - - - - - - - - - text/plain - - phone - AttachmentManager.admx - AttachmentManager~AT~WindowsComponents~AM_AM - AM_MarkZoneOnSavedAtttachments - LastWrite - - - - HideZoneInfoMechanism - - - - - - - - - - - - - - - - - text/plain - - phone - AttachmentManager.admx - AttachmentManager~AT~WindowsComponents~AM_AM - AM_RemoveZoneInfo - LastWrite - - - - NotifyAntivirusPrograms - - - - - - - - - - - - - - - - - text/plain - - phone - AttachmentManager.admx - AttachmentManager~AT~WindowsComponents~AM_AM - AM_CallIOfficeAntiVirus - LastWrite - - - - - Authentication - - - - - - - - - - - - - - - - - - - AllowEAPCertSSO - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - - Autoplay - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutoplayfornonVolume - LastWrite - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutorun - LastWrite - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - Autorun - LastWrite - - - - - Browser - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - 1 - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAddressBarDropdown - LowestValueMostSecure - - - - AllowAutofill - - - - - 0 - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAutofill - LowestValueMostSecure - - - - AllowBrowser - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowConfigurationUpdateForBooksLibrary - - - - - 1 - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCookies - - - - - 2 - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - CookiesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - Cookies - LowestValueMostSecure - - - - AllowDeveloperTools - - - - - 1 - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDeveloperTools - LowestValueMostSecure - - - - AllowDoNotTrack - - - - - 0 - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDoNotTrack - LowestValueMostSecure - - - - AllowExtensions - - - - - 1 - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowExtensions - LowestValueMostSecure - - - - AllowFlash - - - - - 1 - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlash - HighestValueMostSecure - - - - AllowFlashClickToRun - - - - - 1 - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlashClickToRun - HighestValueMostSecure - - - - AllowFullScreenMode - - - - - 1 - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFullScreenMode - LowestValueMostSecure - - - - AllowInPrivate - - - - - 1 - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowInPrivate - LowestValueMostSecure - - - - AllowMicrosoftCompatibilityList - - - - - 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowCVList - LowestValueMostSecure - - - - AllowPasswordManager - - - - - 1 - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPasswordManager - LowestValueMostSecure - - - - AllowPopups - - - - - 0 - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPopups - LowestValueMostSecure - - - - AllowPrelaunch - - - - - 1 - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrelaunch - LowestValueMostSecure - - - - AllowPrinting - - - - - 1 - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrinting - LowestValueMostSecure - - - - AllowSavingHistory - - - - - 1 - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSavingHistory - LowestValueMostSecure - - - - AllowSearchEngineCustomization - - - - - 1 - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchEngineCustomization - LowestValueMostSecure - - - - AllowSearchSuggestionsinAddressBar - - - - - 1 - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchSuggestionsinAddressBar - LowestValueMostSecure - - - - AllowSideloadingOfExtensions - - - - - 1 - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSideloadingOfExtensions - LowestValueMostSecure - - - - AllowSmartScreen - - - - - 1 - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSmartScreen - LowestValueMostSecure - - - - AllowTabPreloading - - - - - 1 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowTabPreloading - LowestValueMostSecure - - - - AllowWebContentOnNewTabPage - - - - - 1 - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowWebContentOnNewTabPage - LowestValueMostSecure - - - - AlwaysEnableBooksLibrary - - - - - 0 - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AlwaysEnableBooksLibrary - LowestValueMostSecure - - - - ClearBrowsingDataOnExit - - - - - 0 - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowClearingBrowsingDataOnExit - LowestValueMostSecure - - - - ConfigureAdditionalSearchEngines - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfigureAdditionalSearchEngines_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureAdditionalSearchEngines - LastWrite - - - - ConfigureFavoritesBar - - - - - 0 - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureFavoritesBar - LowestValueMostSecure - - - - ConfigureHomeButton - - - - - 0 - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureHomeButtonDropdown - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureHomeButton - LastWrite - - - - ConfigureKioskMode - - - - - 0 - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskMode_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskMode - LastWrite - - - - ConfigureKioskResetAfterIdleTimeout - - - - - 5 - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskResetAfterIdleTimeout_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskResetAfterIdleTimeout - LastWrite - - - - ConfigureOpenMicrosoftEdgeWith - - - - - 3 - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureOpenEdgeWithListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureOpenEdgeWith - LastWrite - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - 0 - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - ZonesListBox - MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryForMicrosoft365Analytics - LowestValueMostSecure - - - - DisableLockdownOfStartPages - - - - - 0 - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - DisableLockdownOfStartPagesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - DisableLockdownOfStartPages - LowestValueMostSecure - - - - EnableExtendedBooksTelemetry - - - - - 0 - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnableExtendedBooksTelemetry - LowestValueMostSecure - - - - EnterpriseModeSiteList - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - EnterSiteListPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnterpriseModeSiteList - LastWrite - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - text/plain - - phone - LastWrite - - - - FirstRunURL - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - desktop - LastWrite - - - - HomePages - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - HomePagesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HomePages - LastWrite - - - - LockdownFavorites - - - - - 0 - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - LockdownFavorites - LowestValueMostSecure - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - 0 - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventAccessToAboutFlagsInMicrosoftEdge - HighestValueMostSecure - - - - PreventCertErrorOverrides - - - - - 0 - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventCertErrorOverrides - HighestValueMostSecure - - - - PreventFirstRunPage - - - - - 0 - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventFirstRunPage - HighestValueMostSecure - - - - PreventLiveTileDataCollection - - - - - 0 - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventLiveTileDataCollection - HighestValueMostSecure - - - - PreventSmartScreenPromptOverride - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverride - HighestValueMostSecure - - - - PreventSmartScreenPromptOverrideForFiles - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverrideForFiles - HighestValueMostSecure - - - - PreventTurningOffRequiredExtensions - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - PreventTurningOffRequiredExtensions_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTurningOffRequiredExtensions - LastWrite - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - 0 - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HideLocalHostIPAddress - HighestValueMostSecure - - - - ProvisionFavorites - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfiguredFavoritesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfiguredFavorites - LastWrite - - - - SendIntranetTraffictoInternetExplorer - - - - - 0 - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SendIntranetTraffictoInternetExplorer - HighestValueMostSecure - - - - SetDefaultSearchEngine - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - SetDefaultSearchEngine_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetDefaultSearchEngine - LastWrite - - - - SetHomeButtonURL - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetHomeButtonURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetHomeButtonURL - LastWrite - - - - SetNewTabPageURL - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetNewTabPageURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetNewTabPageURL - LastWrite - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - 0 - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ShowMessageWhenOpeningSitesInInternetExplorer - HighestValueMostSecure - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - 0 - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SyncFavoritesBetweenIEAndMicrosoftEdge - LowestValueMostSecure - - - - UnlockHomeButton - - - - - 0 - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UnlockHomeButton - LowestValueMostSecure - - - - UseSharedFolderForBooks - - - - - 0 - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UseSharedFolderForBooks - LowestValueMostSecure - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - text/plain - - phone - credui.admx - CredUI~AT~WindowsComponents~CredUI - DisablePasswordReveal - LastWrite - - - - - Desktop - - - - - - - - - - - - - - - - - - - PreventUserRedirectionOfProfileFolders - - - - - - - - - - - - - - - - - text/plain - - phone - desktop.admx - desktop~AT~Desktop - DisablePersonalDirChange - LastWrite - - - - - Display - - - - - - - - - - - - - - - - - - - EnablePerProcessDpi - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - phone - Display.admx - DisplayGlobalPerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LowestValueMostSecure - - - - - Education - - - - - - - - - - - - - - - - - - - AllowGraphingCalculator - - - - - 1 - This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, users will be able to access graphing functionality. - - - - - - - - - - - text/plain - - - Programs.admx - Programs~AT~WindowsComponents~Calculator - AllowGraphingCalculator - LowestValueMostSecure - - - - DefaultPrinterName - - - - - - This policy sets user's default printer - - - - - - - - - - - text/plain - - LastWrite - - - - PreventAddingNewPrinters - - - - - 0 - Boolean that specifies whether or not to prevent user to install new printers - - - - - - - - - - - text/plain - - - Printing.admx - Printing~AT~ControlPanel~CplPrinters - NoAddPrinter - HighestValueMostSecure - - - - PrinterNames - - - - - - This policy provisions per-user network printers - - - - - - - - - - - text/plain - - LastWrite - - - - - EnterpriseCloudPrint - - - - - - - - - - - - - - - - - - - CloudPrinterDiscoveryEndPoint - - - - - - This policy provisions per-user discovery end point to discover cloud printers - - - - - - - - - - - text/plain - - LastWrite - - - - CloudPrintOAuthAuthority - - - - - - Authentication endpoint for acquiring OAuth tokens - - - - - - - - - - - text/plain - - LastWrite - - - - CloudPrintOAuthClientId - - - - - - A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority - - - - - - - - - - - text/plain - - LastWrite - - - - CloudPrintResourceId - - - - - - Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication - - - - - - - - - - - text/plain - - LastWrite - - - - DiscoveryMaxPrinterLimit - - - - - 20 - Defines the maximum number of printers that should be queried from discovery end point - - - - - - - - - - - text/plain - - - LastWrite - - - - MopriaDiscoveryResourceId - - - - - - Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication - - - - - - - - - - - text/plain - - LastWrite - - - - - Experience - - - - - - - - - - - - - - - - - - - AllowTailoredExperiencesWithDiagnosticData - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableTailoredExperiencesWithDiagnosticData - LowestValueMostSecure - - - - AllowThirdPartySuggestionsInWindowsSpotlight - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableThirdPartySuggestions - LowestValueMostSecure - - - - AllowWindowsSpotlight - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightFeatures - LowestValueMostSecure - - - - AllowWindowsSpotlightOnActionCenter - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightOnActionCenter - LowestValueMostSecure - - - - AllowWindowsSpotlightOnSettings - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightOnSettings - LowestValueMostSecure - - - - AllowWindowsSpotlightWindowsWelcomeExperience - - - - - 1 - - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsSpotlightWindowsWelcomeExperience - LowestValueMostSecure - - - - ConfigureWindowsSpotlightOnLockScreen - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - ConfigureWindowsSpotlight - LowestValueMostSecure - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddSearchProvider - LastWrite - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - TurnOnActiveXFiltering - LastWrite - - - - AllowAddOnList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - AddonManagement_AddOnList - LastWrite - - - - AllowAutoComplete - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictFormSuggestPW - LastWrite - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyWarnCertMismatch - LastWrite - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteOnExit - LastWrite - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode - LastWrite - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AllowServicePoweredQSA - LastWrite - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeEnable - LastWrite - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeSiteList - LastWrite - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_UsePolicyList - LastWrite - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_IntranetSites - LastWrite - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneTemplate - LastWrite - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneTemplate - LastWrite - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneTemplate - LastWrite - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneLockdownTemplate - LastWrite - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneLockdownTemplate - LastWrite - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing - UseIntranetSiteForOneWordEntry - LastWrite - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_Zonemaps - LastWrite - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneLockdownTemplate - LastWrite - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_InvalidSignatureBlock - LastWrite - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneTemplate - LastWrite - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnableSuggestedSites - LastWrite - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneTemplate - LastWrite - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_CertificateRevocation - LastWrite - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DownloadSignatures - LastWrite - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling - IESF_PolicyExplorerProcesses_5 - LastWrite - - - - DisableActiveXVersionListAutoDownload - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VersionListAutomaticDownloadDisable - LastWrite - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - DisableFlashInIE - LastWrite - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverride - LastWrite - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverrideForAppRepUnknown - LastWrite - - - - DisableCompatView - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_DisableList - LastWrite - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - RestrictHistory - LastWrite - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddonManagement_RestrictCrashDetection - LastWrite - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SQM_DisableCEIP - LastWrite - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteHistory - LastWrite - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Downloading_of_Enclosures - LastWrite - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_SetWinInetProtocols - LastWrite - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Background_Syncing - LastWrite - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoFirstRunCustomise - LastWrite - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableFlipAhead - LastWrite - - - - DisableGeolocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - GeolocationDisable - LastWrite - - - - DisableHomePageChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictHomePage - LastWrite - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL - NoCertError - LastWrite - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy - DisableInPrivateBrowsing - LastWrite - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode64Bit - LastWrite - - - - DisableProxyChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictProxy - LastWrite - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoSearchProvider - LastWrite - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SecondaryHomePages - LastWrite - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Security_Settings_Check - LastWrite - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictWebAddressSuggest - LastWrite - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableEPMCompat - LastWrite - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisable - LastWrite - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDomainAllowlist - LastWrite - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_IncludeUnspecifiedLocalSites - LastWrite - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_UNCAsIntranet - LastWrite - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAccessDataSourcesAcrossDomains_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarActiveXURLaction_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarDownloadURLaction_1 - LastWrite - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowPasteViaScript_1 - LastWrite - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDropOrPasteFiles_1 - LastWrite - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFontDownload_1 - LastWrite - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyZoneElevationURLaction_1 - LastWrite - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_XAML_1 - LastWrite - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowTDCControl_Both_Internet - LastWrite - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_WebBrowserControl_1 - LastWrite - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyWindowsRestrictionsURLaction_1 - LastWrite - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_AllowScriptlets_1 - LastWrite - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_Phishing_1 - LastWrite - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_ScriptStatusBar_1 - LastWrite - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUserdataPersistence_1 - LastWrite - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowVBScript_1 - LastWrite - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 - LastWrite - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadSignedActiveX_1 - LastWrite - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadUnsignedActiveX_1 - LastWrite - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyTurnOnXSSFilter_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet - LastWrite - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyMimeSniffingURLaction_1 - LastWrite - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_TurnOnProtectedMode_1 - LastWrite - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_LocalPathForUpload_1 - LastWrite - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXNotMarkedSafe_1 - LastWrite - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyJavaPermissions_1 - LastWrite - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_1 - LastWrite - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLogon_1 - LastWrite - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNavigateSubframesAcrossDomains_1 - LastWrite - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicySignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_UnsafeFiles_1 - LastWrite - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyBlockPopupWindows_1 - LastWrite - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAccessDataSourcesAcrossDomains_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarActiveXURLaction_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarDownloadURLaction_3 - LastWrite - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyFontDownload_3 - LastWrite - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyZoneElevationURLaction_3 - LastWrite - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_3 - LastWrite - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_AllowScriptlets_3 - LastWrite - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_Phishing_3 - LastWrite - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUserdataPersistence_3 - LastWrite - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 - LastWrite - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyScriptActiveXNotMarkedSafe_3 - LastWrite - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyJavaPermissions_3 - LastWrite - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNavigateSubframesAcrossDomains_3 - LastWrite - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAccessDataSourcesAcrossDomains_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarActiveXURLaction_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarDownloadURLaction_9 - LastWrite - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyFontDownload_9 - LastWrite - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyZoneElevationURLaction_9 - LastWrite - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_9 - LastWrite - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_AllowScriptlets_9 - LastWrite - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_Phishing_9 - LastWrite - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUserdataPersistence_9 - LastWrite - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 - LastWrite - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyScriptActiveXNotMarkedSafe_9 - LastWrite - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyJavaPermissions_9 - LastWrite - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNavigateSubframesAcrossDomains_9 - LastWrite - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyFontDownload_2 - LastWrite - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyZoneElevationURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_AllowScriptlets_2 - LastWrite - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_Phishing_2 - LastWrite - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUserdataPersistence_2 - LastWrite - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_2 - LastWrite - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyJavaPermissions_2 - LastWrite - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_2 - LastWrite - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyJavaPermissions_4 - LastWrite - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyFontDownload_4 - LastWrite - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyZoneElevationURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_AllowScriptlets_4 - LastWrite - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_Phishing_4 - LastWrite - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUserdataPersistence_4 - LastWrite - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_4 - LastWrite - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_4 - LastWrite - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyFontDownload_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyZoneElevationURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_AllowScriptlets_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_Phishing_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUserdataPersistence_10 - LastWrite - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_10 - LastWrite - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyJavaPermissions_10 - LastWrite - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_10 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyFontDownload_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_AllowScriptlets_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_Phishing_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUserdataPersistence_8 - LastWrite - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_8 - LastWrite - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyJavaPermissions_8 - LastWrite - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_8 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyFontDownload_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_AllowScriptlets_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_Phishing_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUserdataPersistence_6 - LastWrite - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_6 - LastWrite - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyJavaPermissions_6 - LastWrite - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_6 - LastWrite - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature - IESF_PolicyExplorerProcesses_6 - LastWrite - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction - IESF_PolicyExplorerProcesses_3 - LastWrite - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NewTabAction - LastWrite - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar - IESF_PolicyExplorerProcesses_10 - LastWrite - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Managing_Safety_Filter_IE9 - LastWrite - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisablePerUserActiveXInstall - LastWrite - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation - IESF_PolicyExplorerProcesses_9 - LastWrite - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisableRunThisTime - LastWrite - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall - IESF_PolicyExplorerProcesses_11 - LastWrite - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyActiveScripting_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBinaryBehaviors_7 - LastWrite - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowPasteViaScript_7 - LastWrite - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDropOrPasteFiles_7 - LastWrite - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFileDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFontDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyZoneElevationURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_XAML_7 - LastWrite - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowMETAREFRESH_7 - LastWrite - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowTDCControl_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_WebBrowserControl_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyWindowsRestrictionsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_AllowScriptlets_7 - LastWrite - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_Phishing_7 - LastWrite - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_ScriptStatusBar_7 - LastWrite - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUserdataPersistence_7 - LastWrite - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowVBScript_7 - LastWrite - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadSignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadUnsignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyTurnOnXSSFilter_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyMimeSniffingURLaction_7 - LastWrite - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_LocalPathForUpload_7 - LastWrite - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyJavaPermissions_7 - LastWrite - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_7 - LastWrite - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLogon_7 - LastWrite - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyRunActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicySignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptingOfJavaApplets_7 - LastWrite - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_UnsafeFiles_7 - LastWrite - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_TurnOnProtectedMode_7 - LastWrite - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBlockPopupWindows_7 - LastWrite - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload - IESF_PolicyExplorerProcesses_12 - LastWrite - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions - IESF_PolicyExplorerProcesses_8 - LastWrite - - - - SearchProviderList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SpecificSearchProvider - LastWrite - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - OnlyUseAXISForActiveXInstall - LastWrite - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyFontDownload_5 - LastWrite - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyZoneElevationURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_AllowScriptlets_5 - LastWrite - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_Phishing_5 - LastWrite - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUserdataPersistence_5 - LastWrite - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 - LastWrite - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_5 - LastWrite - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyJavaPermissions_5 - LastWrite - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_5 - LastWrite - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - BlockedUrls - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - DefaultURL - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - EnableEndSessionButton - - - - - 0 - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableHomeButton - - - - - 0 - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableNavigationButtons - - - - - 0 - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - RestartOnIdleTime - - - - - 0 - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - Multitasking - - - - - - - - - - - - - - - - - - - BrowserAltTabBlowout - - - - - 1 - Configures the inclusion of Edge tabs into Alt-Tab. - - - - - - - - - - - text/plain - - - phone - multitasking.admx - AltTabFilterDropdown - multitasking~AT~WindowsComponents~MULTITASKING - MultiTaskingAltTabFilter - LastWrite - - - - - Notifications - - - - - - - - - - - - - - - - - - - DisallowNotificationMirroring - - - - - 0 - - - - - - - - - - - - text/plain - - - WPN.admx - WPN~AT~StartMenu~NotificationsCategory - NoNotificationMirroring - LowestValueMostSecure - - - - DisallowTileNotification - - - - - 0 - - - - - - - - - - - - text/plain - - - WPN.admx - WPN~AT~StartMenu~NotificationsCategory - NoTileNotification - LowestValueMostSecure - - - - - Printers - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions_User - - - - - - - - - - - - - - - - - text/plain - - phone - Printing.admx - Printing~AT~ControlPanel~CplPrinters - PointAndPrint_Restrictions - LastWrite - - - - - Privacy - - - - - - - - - - - - - - - - - - - DisablePrivacyExperience - - - - - 0 - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - phone - OOBE.admx - OOBE~AT~WindowsComponents~OOBE - DisablePrivacyExperience - LowestValueMostSecure - - - - - Security - - - - - - - - - - - - - - - - - - - RecoveryEnvironmentAuthentication - - - - - 0 - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - Settings - - - - - - - - - - - - - - - - - - - ConfigureTaskbarCalendar - - - - - 0 - - - - - - - - - - - - text/plain - - - Taskbar.admx - Taskbar~AT~StartMenu~TPMCategory - ConfigureTaskbarCalendar - LastWrite - - - - PageVisibilityList - - - - - - - - - - - - - - - - - text/plain - - ControlPanel.admx - SettingsPageVisibilityBox - ControlPanel~AT~ControlPanel - SettingsPageVisibility - LastWrite - - - - - Start - - - - - - - - - - - - - - - - - - - DisableContextMenus - - - - - 0 - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - DisableContextMenusInStart - LowestValueMostSecure - - - - ForceStartSize - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - ForceStartSize - LastWrite - - - - HideAppList - - - - - 0 - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - HideFrequentlyUsedApps - - - - - 0 - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoFrequentUsedPrograms - LowestValueMostSecure - - - - HidePeopleBar - - - - - 0 - Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - HidePeopleBar - LowestValueMostSecure - - - - HideRecentJumplists - - - - - 0 - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoRecentDocsHistory - LowestValueMostSecure - - - - HideRecentlyAddedApps - - - - - 0 - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - HideRecentlyAddedApps - LowestValueMostSecure - - - - StartLayout - - - - - - - - - - - - - - - - - text/plain - - phone - StartMenu.admx - StartMenu~AT~StartMenu - LockedStartLayout - LastWrite - - - - - System - - - - - - - - - - - - - - - - - - - AllowTelemetry - - - - - 3 - - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowTelemetry - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowTelemetry - LowestValueMostSecure - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - text/plain - - phone - PowerShellExecutionPolicy.admx - PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell - EnableScriptBlockLogging - LastWrite - - - - - - - Policy - ./Device/Vendor/MSFT - - - - - - - - - - - - - - - com.microsoft/10.0/MDM/Policy - - - - ConfigOperations - - - - - - - Policy CSP ConfigOperations - - - - - - - - - - - - - - - ADMXInstall - - - - - - - Win32 App ADMX Ingestion - - - - - - - - - - - - - - - * - - - - - - - Win32 App Name - - - - - - - - - - - - - - - Properties - - - - - - - Properties of Win32 App ADMX Ingestion - - - - - - - - - - - - - - - * - - - - - - - Setting Type of Win32 App. Policy Or Preference - - - - - - - - - - - - - - - * - - - - - - - Unique ID of ADMX file - - - - - - - - - - - - - - - Version - - - - - - - - Version of ADMX file - - - - - - - - - - - - - - - - - - - * - - - - - - - Setting Type of Win32 App. Policy Or Preference - - - - - - - - - - - - - - - * - - - - - - - - Unique ID of ADMX file - - - - - - - - - - - - - - - - - - - - Config - - - - - - - - - - - - - - - - - - - - - AboveLock - - - - - - - - - - - - - - - - - - - - - AllowActionCenterNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCortanaAboveLock - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowToasts - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Accounts - - - - - - - - - - - - - - - - - - - - - AllowAddingNonMicrosoftAccountsManually - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowMicrosoftAccountConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowMicrosoftAccountSignInAssistant - - - - - - - - - - - - - - - - - - - text/plain - - - - - DomainNamesForEmailSync - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ActiveXControls - - - - - - - - - - - - - - - - - - - - - ApprovedInstallationSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ApplicationDefaults - - - - - - - - - - - - - - - - - - - - - DefaultAssociationsConfiguration - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableAppUriHandlers - - - - - - - - Enables web-to-app linking, which allows apps to be launched with a http(s) URI - - - - - - - - - - - text/plain - - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - - - AllowAllTrustedApps - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAppStoreAutoUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeveloperUnlock - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowGameDVR - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSharedUserAppData - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStore - - - - - - - - - - - - - - - - - - - text/plain - - - - - ApplicationRestrictions - - - - - - - - - - - - - - - - - - - text/plain - - - - - BlockNonAdminUserInstall - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableStoreOriginatedApps - - - - - - - - - - - - - - - - - - - text/plain - - - - - LaunchAppAfterLogOn - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. - - - - - - - - - - - text/plain - - - - - MSIAllowUserControlOverInstall - - - - - - - - - - - - - - - - - - - text/plain - - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePrivateStoreOnly - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictAppDataToSystemVolume - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictAppToSystemVolume - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleForceRestartForUpdateFailures - - - - - - - - - - - - - - - - - - - text/plain - - - - - - AppRuntime - - - - - - - - - - - - - - - - - - - - - AllowMicrosoftAccountsToBeOptional - - - - - - - - - - - - - - - - - - - text/plain - - - - - - AppVirtualization - - - - - - - - - - - - - - - - - - - - - AllowAppVClient - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDynamicVirtualization - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPackageCleanup - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPackageScripts - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPublishingRefreshUX - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowReportingServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRoamingFileExclusions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRoamingRegistryExclusions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStreamingAutoload - - - - - - - - - - - - - - - - - - - text/plain - - - - - ClientCoexistenceAllowMigrationmode - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntegrationAllowRootGlobal - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntegrationAllowRootUser - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer1 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer2 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer3 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer4 - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishingAllowServer5 - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowCertificateFilterForClient_SSL - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowHighCostLaunch - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowLocationProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowPackageInstallationRoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowPackageSourceRoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowReestablishmentInterval - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingAllowReestablishmentRetries - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingSharedContentStoreMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingSupportBranchCache - - - - - - - - - - - - - - - - - - - text/plain - - - - - StreamingVerifyCertificateRevocationList - - - - - - - - - - - - - - - - - - - text/plain - - - - - VirtualComponentsAllowList - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Audit - - - - - - - - - - - - - - - - - - - - - AccountLogon_AuditCredentialValidation - - - - - - - - This policy setting allows you to audit events generated by validation tests on user account logon credentials. - -Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - - - - - - - - - - - text/plain - - - - - AccountLogon_AuditKerberosAuthenticationService - - - - - - - - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. - - - - - - - - - - - text/plain - - - - - AccountLogon_AuditKerberosServiceTicketOperations - - - - - - - - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. - - - - - - - - - - - text/plain - - - - - AccountLogon_AuditOtherAccountLogonEvents - - - - - - - - This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. - -Currently, there are no events in this subcategory. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditAccountLockout - - - - - - - - This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. - -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -Logon events are essential for understanding user activity and to detect potential attacks. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditGroupMembership - - - - - - - - This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditIPsecExtendedMode - - - - - - - - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditIPsecMainMode - - - - - - - - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditIPsecQuickMode - - - - - - - - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If - you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditLogoff - - - - - - - - This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. - -If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you do not configure this policy setting, no audit event is generated when a logon session is closed. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditLogon - - - - - - - - This policy setting allows you to audit events generated by user account logon attempts on the computer. -Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: - Successful logon attempts. - Failed logon attempts. - Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. - Security identifiers (SIDs) were filtered and not allowed to log on. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditNetworkPolicyServer - - - - - - - - This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. -If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. -If you do not configure this policy settings, IAS and NAP user access requests are not audited. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditOtherLogonLogoffEvents - - - - - - - - This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: - Terminal Services session disconnections. - New Terminal Services sessions. - Locking and unlocking a workstation. - Invoking a screen saver. - Dismissal of a screen saver. - Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. - Access to a wireless network granted to a user or computer account. - Access to a wired 802.1x network granted to a user or computer account. - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditSpecialLogon - - - - - - - - This policy setting allows you to audit events generated by special logons such as the following : - The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121697). - - - - - - - - - - - text/plain - - - - - AccountLogonLogoff_AuditUserDeviceClaims - - - - - - - - This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditApplicationGroupManagement - - - - - - - - This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. - -If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an application group changes. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditComputerAccountManagement - - - - - - - - This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. - -If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a computer account changes. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditDistributionGroupManagement - - - - - - - - This policy setting allows you to audit events generated by changes to distribution groups such as the following: - Distribution group is created, changed, or deleted. - Member is added or removed from a distribution group. - Distribution group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a distribution group changes. - -Note: Events in this subcategory are logged only on domain controllers. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditOtherAccountManagementEvents - - - - - - - - This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: - The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. - The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. - Changes to the Default Domain Group Policy under the following Group Policy paths: -Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditSecurityGroupManagement - - - - - - - - This policy setting allows you to audit events generated by changes to security groups such as the following: - Security group is created, changed, or deleted. - Member is added or removed from a security group. - Group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a security group changes. - - - - - - - - - - - text/plain - - - - - AccountManagement_AuditUserAccountManagement - - - - - - - - This policy setting allows you to audit changes to user accounts. Events include the following: - A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. - A user account’s password is set or changed. - A security identifier (SID) is added to the SID History of a user account. - The Directory Services Restore Mode password is configured. - Permissions on administrative user accounts are changed. - Credential Manager credentials are backed up or restored. - -If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditDPAPIActivity - - - - - - - - This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. - -If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditPNPActivity - - - - - - - - This policy setting allows you to audit when plug and play detects an external device. - -If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. -If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditProcessCreation - - - - - - - - This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. - -If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process is created. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditProcessTermination - - - - - - - - This policy setting allows you to audit events generated when a process ends. - -If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process ends. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditRPCEvents - - - - - - - - This policy setting allows you to audit inbound remote procedure call (RPC) connections. - -If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. - - - - - - - - - - - text/plain - - - - - DetailedTracking_AuditTokenRightAdjusted - - - - - - - - This policy setting allows you to audit events generated by adjusting the privileges of a token. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDetailedDirectoryServiceReplication - - - - - - - - This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDirectoryServiceAccess - - - - - - - - This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. - -Only AD DS objects with a matching system access control list (SACL) are logged. - -Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDirectoryServiceChanges - - - - - - - - This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. - -When possible, events logged in this subcategory indicate the old and new values of the object’s properties. - -Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. - -Note: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. - -If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. -If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. - - - - - - - - - - - text/plain - - - - - DSAccess_AuditDirectoryServiceReplication - - - - - - - - This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. - -If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. -If you do not configure this policy setting, no audit event is generated during AD DS replication. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditApplicationGenerated - - - - - - - - This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. -Events in this subcategory include: - Creation of an application client context. - Deletion of an application client context. - Initialization of an application client context. - Other application operations using the Windows Auditing APIs. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditCentralAccessPolicyStaging - - - - - - - - This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. - -If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: -1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. -2) Failure audits when configured records access attempts when: - a) The current central access policy does not grant access but the proposed policy grants access. - b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. - -Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditCertificationServices - - - - - - - - This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. -AD CS operations include the following: - AD CS startup/shutdown/backup/restore. - Changes to the certificate revocation list (CRL). - New certificate requests. - Issuing of a certificate. - Revocation of a certificate. - Changes to the Certificate Manager settings for AD CS. - Changes in the configuration of AD CS. - Changes to a Certificate Services template. - Importing of a certificate. - Publishing of a certification authority certificate is to Active Directory Domain Services. - Changes to the security permissions for AD CS. - Archival of a key. - Importing of a key. - Retrieval of a key. - Starting of Online Certificate Status Protocol (OCSP) Responder Service. - Stopping of Online Certificate Status Protocol (OCSP) Responder Service. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditDetailedFileShare - - - - - - - - This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFileShare - - - - - - - - This policy setting allows you to audit attempts to access a shared folder. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFileSystem - - - - - - - - This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see https://go.microsoft.com/fwlink/?LinkId=122083. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - -Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFilteringPlatformConnection - - - - - - - - This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: - The Windows Firewall Service blocks an application from accepting incoming connections on the network. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits a bind to a local port. - The WFP blocks a bind to a local port. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits an application or service to listen on a port for incoming connections. - The WFP blocks an application or service to listen on a port for incoming connections. - -If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. -If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditFilteringPlatformPacketDrop - - - - - - - - This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditHandleManipulation - - - - - - - - This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. - -If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a handle is manipulated. - -Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditKernelObject - - - - - - - - This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. -Only kernel objects with a matching system access control list (SACL) generate security audit events. - -Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditOtherObjectAccessEvents - - - - - - - - This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. -For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. -For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditRegistry - - - - - - - - This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. - -If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - -Note: You can set a SACL on a registry object using the Permissions dialog box. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditRemovableStorage - - - - - - - - This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. - - - - - - - - - - - text/plain - - - - - ObjectAccess_AuditSAM - - - - - - - - This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. -SAM objects include the following: - SAM_ALIAS -- A local group. - SAM_GROUP -- A group that is not a local group. - SAM_USER – A user account. - SAM_DOMAIN – A domain. - SAM_SERVER – A computer account. -If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. -Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified. -Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698). - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditAuthenticationPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes to the authentication policy such as the following: - Creation of forest and domain trusts. - Modification of forest and domain trusts. - Removal of forest and domain trusts. - Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. - Granting of any of the following user rights to a user or group: - Access This Computer From the Network. - Allow Logon Locally. - Allow Logon Through Terminal Services. - Logon as a Batch Job. - Logon a Service. - Namespace collision. For example, when a new trust has the same name as an existing namespace name. - -If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. - -Note: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditAuthorizationPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes to the authorization policy such as the following: - Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Changes in the Encrypted File System (EFS) policy. - Changes to the Resource attributes of an object. - Changes to the Central Access Policy (CAP) applied to an object. - -If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authorization policy changes. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditFilteringPlatformPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: - IPsec services status. - Changes to IPsec policy settings. - Changes to Windows Firewall policy settings. - Changes to WFP providers and engine. - -If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditMPSSVCRuleLevelPolicyChange - - - - - - - - This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: - Reporting of active policies when Windows Firewall service starts. - Changes to Windows Firewall rules. - Changes to Windows Firewall exception list. - Changes to Windows Firewall settings. - Rules ignored or not applied by Windows Firewall Service. - Changes to Windows Firewall Group Policy settings. - -If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditOtherPolicyChangeEvents - - - - - - - - This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. - Cryptographic context operations or modifications. - Applied Central Access Policies (CAPs) changes. - Boot Configuration Data (BCD) modifications. - - - - - - - - - - - text/plain - - - - - PolicyChange_AuditPolicyChange - - - - - - - - This policy setting allows you to audit changes in the security audit policy settings such as the following: - Settings permissions and audit settings on the Audit Policy object. - Changes to the system audit policy. - Registration of security event sources. - De-registration of security event sources. - Changes to the per-user audit settings. - Changes to the value of CrashOnAuditFail. - Changes to the system access control list on a file system or registry object. - Changes to the Special Groups list. - -Note: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. - - - - - - - - - - - text/plain - - - - - PrivilegeUse_AuditNonSensitivePrivilegeUse - - - - - - - - This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). -The following privileges are non-sensitive: - Access Credential Manager as a trusted caller. - Access this computer from the network. - Add workstations to domain. - Adjust memory quotas for a process. - Allow log on locally. - Allow log on through Terminal Services. - Bypass traverse checking. - Change the system time. - Create a pagefile. - Create global objects. - - Create permanent shared objects. - Create symbolic links. - Deny access this computer from the network. - Deny log on as a batch job. - Deny log on as a service. - Deny log on locally. - Deny log on through Terminal Services. - Force shutdown from a remote system. - Increase a process working set. - Increase scheduling priority. - Lock pages in memory. - Log on as a batch job. - Log on as a service. - Modify an object label. - Perform volume maintenance tasks. - Profile single process. - Profile system performance. - Remove computer from docking station. - Shut down the system. - Synchronize directory service data. - -If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. -If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. - - - - - - - - - - - text/plain - - - - - PrivilegeUse_AuditOtherPrivilegeUseEvents - - - - - - - - Not used. - - - - - - - - - - - text/plain - - - - - PrivilegeUse_AuditSensitivePrivilegeUse - - - - - - - - This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: - A privileged service is called. - One of the following privileges are called: - Act as part of the operating system. - Back up files and directories. - Create a token object. - Debug programs. - Enable computer and user accounts to be trusted for delegation. - Generate security audits. - Impersonate a client after authentication. - Load and unload device drivers. - Manage auditing and security log. - Modify firmware environment values. - Replace a process-level token. - Restore files and directories. - Take ownership of files or other objects. - -If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. - - - - - - - - - - - - text/plain - - - - - System_AuditIPsecDriver - - - - - - - - This policy setting allows you to audit events generated by the IPsec filter driver such as the following: - Startup and shutdown of the IPsec services. - Network packets dropped due to integrity check failure. - Network packets dropped due to replay check failure. - Network packets dropped due to being in plaintext. - Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. - Inability to process IPsec filters. - -If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. - - - - - - - - - - - text/plain - - - - - System_AuditOtherSystemEvents - - - - - - - - This policy setting allows you to audit any of the following events: - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall Service. - Cryptography key file and migration operations. - - - - - - - - - - - text/plain - - - - - System_AuditSecurityStateChange - - - - - - - - This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: - Startup and shutdown of the computer. - Change of system time. - Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. - - - - - - - - - - - text/plain - - - - - System_AuditSecuritySystemExtension - - - - - - - - This policy setting allows you to audit events related to security system extensions or services such as the following: - A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. - A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. -If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. - - - - - - - - - - - text/plain - - - - - System_AuditSystemIntegrity - - - - - - - - This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: - Events that could not be written to the event log because of a problem with the auditing system. - A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. - The detection of a Remote Procedure Call (RPC) that compromises system integrity. - The detection of a hash value of an executable file that is not valid as determined by Code Integrity. - Cryptographic operations that compromise system integrity. - - - - - - - - - - - text/plain - - - - - - Authentication - - - - - - - - - - - - - - - - - - - - - AllowAadPasswordReset - - - - - - - - Specifies whether password reset is enabled for AAD accounts. - - - - - - - - - - - text/plain - - - - - AllowFastReconnect - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSecondaryAuthenticationDevice - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureWebcamAccessDomainNames - - - - - - - - Specifies a list of domains that are allowed to access the webcam in CXH-based authentication scenarios. - - - - - - - - - - - text/plain - - - - - EnableFastFirstSignIn - - - - - - - - Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts - - - - - - - - - - - text/plain - - - - - EnableWebSignIn - - - - - - - - Specifies whether web-based sign in is allowed for logging in to Windows - - - - - - - - - - - text/plain - - - - - PreferredAadTenantDomainName - - - - - - - - Specifies the preferred domain among available domains in the AAD tenant. - - - - - - - - - - - text/plain - - - - - - Autoplay - - - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Bitlocker - - - - - - - - - - - - - - - - - - - - - EncryptionMethod - - - - - - - - - - - - - - - - - - - text/plain - - - - - - BITS - - - - - - - - - - - - - - - - - - - - - BandwidthThrottlingEndTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - BandwidthThrottlingStartTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - BandwidthThrottlingTransferRate - - - - - - - - - - - - - - - - - - - text/plain - - - - - CostedNetworkBehaviorBackgroundPriority - - - - - - - - - - - - - - - - - - - text/plain - - - - - CostedNetworkBehaviorForegroundPriority - - - - - - - - - - - - - - - - - - - text/plain - - - - - JobInactivityTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Bluetooth - - - - - - - - - - - - - - - - - - - - - AllowAdvertising - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDiscoverableMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPrepairing - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPromptedProximalConnections - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalDeviceName - - - - - - - - - - - - - - - - - - - text/plain - - - - - ServicesAllowedList - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetMinimumEncryptionKeySize - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Browser - - - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - - - - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - - - AllowAutofill - - - - - - - - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowBrowser - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowConfigurationUpdateForBooksLibrary - - - - - - - - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - - - AllowCookies - - - - - - - - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - - - AllowDeveloperTools - - - - - - - - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowDoNotTrack - - - - - - - - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - - - AllowExtensions - - - - - - - - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlash - - - - - - - - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowFlashClickToRun - - - - - - - - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - - - AllowFullScreenMode - - - - - - - - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowInPrivate - - - - - - - - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - - - AllowMicrosoftCompatibilityList - - - - - - - - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - - - AllowPasswordManager - - - - - - - - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - - - AllowPopups - - - - - - - - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - - - AllowPrelaunch - - - - - - - - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowPrinting - - - - - - - - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - - - AllowSavingHistory - - - - - - - - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - - - AllowSearchEngineCustomization - - - - - - - - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - - - AllowSearchSuggestionsinAddressBar - - - - - - - - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSideloadingOfExtensions - - - - - - - - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - AllowSmartScreen - - - - - - - - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - - - AllowTabPreloading - - - - - - - - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - - - AllowWebContentOnNewTabPage - - - - - - - - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - - - AlwaysEnableBooksLibrary - - - - - - - - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - - - ClearBrowsingDataOnExit - - - - - - - - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureAdditionalSearchEngines - - - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - ConfigureFavoritesBar - - - - - - - - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - - - ConfigureHomeButton - - - - - - - - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - - - ConfigureKioskMode - - - - - - - - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - - - ConfigureKioskResetAfterIdleTimeout - - - - - - - - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - - - ConfigureOpenMicrosoftEdgeWith - - - - - - - - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - - - - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - - - DisableLockdownOfStartPages - - - - - - - - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - - - EnableExtendedBooksTelemetry - - - - - - - - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - - - EnterpriseModeSiteList - - - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - - - text/plain - - - - - FirstRunURL - - - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - - - - HomePages - - - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - - - - LockdownFavorites - - - - - - - - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - - - - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - - - PreventCertErrorOverrides - - - - - - - - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - - - PreventFirstRunPage - - - - - - - - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventLiveTileDataCollection - - - - - - - - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverride - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - - - PreventSmartScreenPromptOverrideForFiles - - - - - - - - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - - - PreventTurningOffRequiredExtensions - - - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - - - - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - - - ProvisionFavorites - - - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - - - - SendIntranetTraffictoInternetExplorer - - - - - - - - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - - - SetDefaultSearchEngine - - - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - - - SetHomeButtonURL - - - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - - - - SetNewTabPageURL - - - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - - - - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - - - - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - - - UnlockHomeButton - - - - - - - - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - - - UseSharedFolderForBooks - - - - - - - - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - - - - Camera - - - - - - - - - - - - - - - - - - - - - AllowCamera - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Cellular - - - - - - - - - - - - - - - - - - - - - LetAppsAccessCellularData - - - - - - - - This policy setting specifies whether Windows apps can access cellular data. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCellularData_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - ShowAppCellularAccessUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Connectivity - - - - - - - - - - - - - - - - - - - - - AllowBluetooth - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCellularData - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCellularDataRoaming - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowConnectedDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowNFC - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPhonePCLinking - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUSBConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVPNOverCellular - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVPNRoamingOverCellular - - - - - - - - - - - - - - - - - - - text/plain - - - - - DiablePrintingOverHTTP - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDownloadingOfPrintDriversOverHTTP - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowNetworkConnectivityActiveTests - - - - - - - - - - - - - - - - - - - text/plain - - - - - HardenedUNCPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - ProhibitInstallationAndConfigurationOfNetworkBridge - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ControlPolicyConflict - - - - - - - - - - - - - - - - - - - - - MDMWinsOverGP - - - - - - - - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. - - - - - - - - - - - text/plain - - - - - - CredentialProviders - - - - - - - - - - - - - - - - - - - - - AllowPINLogon - - - - - - - - - - - - - - - - - - - text/plain - - - - - BlockPicturePassword - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAutomaticReDeploymentCredentials - - - - - - - - - - - - - - - - - - - text/plain - - - - - - CredentialsDelegation - - - - - - - - - - - - - - - - - - - - - RemoteHostAllowsDelegationOfNonExportableCredentials - - - - - - - - - - - - - - - - - - - text/plain - - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnumerateAdministrators - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Cryptography - - - - - - - - - - - - - - - - - - - - - AllowFipsAlgorithmPolicy - - - - - - - - - - - - - - - - - - - text/plain - - - - - TLSCipherSuites - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DataProtection - - - - - - - - - - - - - - - - - - - - - AllowDirectMemoryAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - LegacySelectiveWipeID - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DataUsage - - - - - - - - - - - - - - - - - - - - - SetCost3G - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetCost4G - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Defender - - - - - - - - - - - - - - - - - - - - - AllowArchiveScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowBehaviorMonitoring - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCloudProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEmailScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFullScanOnMappedNetworkDrives - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFullScanRemovableDriveScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIntrusionPreventionSystem - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIOAVProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOnAccessProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRealtimeMonitoring - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowScanningNetworkFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowScriptScanning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUserUIAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - AttackSurfaceReductionOnlyExclusions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AttackSurfaceReductionRules - - - - - - - - - - - - - - - - - - - text/plain - - - - - AvgCPULoadFactor - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckForSignaturesBeforeRunningScan - - - - - - - - - - - - - - - - - - - text/plain - - - - - CloudBlockLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - CloudExtendedTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - ControlledFolderAccessAllowedApplications - - - - - - - - - - - - - - - - - - - text/plain - - - - - ControlledFolderAccessProtectedFolders - - - - - - - - - - - - - - - - - - - text/plain - - - - - DaysToRetainCleanedMalware - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCatchupFullScan - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCatchupQuickScan - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableControlledFolderAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableLowCPUPriority - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableNetworkProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludedExtensions - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludedPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludedProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PUAProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - RealTimeScanDirection - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScanParameter - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleQuickScanTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleScanDay - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleScanTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - SecurityIntelligenceLocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - SignatureUpdateFallbackOrder - - - - - - - - - - - - - - - - - - - text/plain - - - - - SignatureUpdateFileSharesSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - SignatureUpdateInterval - - - - - - - - - - - - - - - - - - - text/plain - - - - - SubmitSamplesConsent - - - - - - - - - - - - - - - - - - - text/plain - - - - - ThreatSeverityDefaultAction - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeliveryOptimization - - - - - - - - - - - - - - - - - - - - - DOAbsoluteMaxCacheSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOAllowVPNPeerCaching - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOCacheHost - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOCacheHostSource - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayBackgroundDownloadFromHttp - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayCacheServerFallbackBackground - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayCacheServerFallbackForeground - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODelayForegroundDownloadFromHttp - - - - - - - - - - - - - - - - - - - text/plain - - - - - DODownloadMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOGroupId - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOGroupIdSource - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxBackgroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxCacheAge - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxCacheSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMaxForegroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinBackgroundQos - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinBatteryPercentageAllowedToUpload - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinDiskSizeAllowedToPeer - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinFileSizeToCache - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMinRAMAllowedToPeer - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOModifyCacheDrive - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOMonthlyUploadDataCap - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOPercentageMaxBackgroundBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOPercentageMaxForegroundBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DORestrictPeerSelectionBy - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOSetHoursToLimitBackgroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - DOSetHoursToLimitForegroundDownloadBandwidth - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeviceGuard - - - - - - - - - - - - - - - - - - - - - ConfigureSystemGuardLaunch - - - - - - - - Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. - - - - - - - - - - - text/plain - - - - - EnableVirtualizationBasedSecurity - - - - - - - - Turns On Virtualization Based Security(VBS) - - - - - - - - - - - text/plain - - - - - LsaCfgFlags - - - - - - - - Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. - - - - - - - - - - - text/plain - - - - - RequirePlatformSecurityFeatures - - - - - - - - Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. - - - - - - - - - - - text/plain - - - - - - DeviceHealthMonitoring - - - - - - - - - - - - - - - - - - - - - AllowDeviceHealthMonitoring - - - - - - - - Enable/disable 4Nines device health monitoring on devices. - - - - - - - - - - - text/plain - - - - - ConfigDeviceHealthMonitoringScope - - - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. - - - - - - - - - - - text/plain - - - - - ConfigDeviceHealthMonitoringUploadDestination - - - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. - - - - - - - - - - - text/plain - - - - - - DeviceInstallation - - - - - - - - - - - - - - - - - - - - - AllowInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventDeviceMetadataFromNetwork - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - - - text/plain - - - - - - DeviceLock - - - - - - - - - - - - - - - - - - - - - AllowIdleReturnWithoutPassword - - - - - - - - Specifies whether the user must input a PIN or password when the device resumes from an idle state. - - - - - - - - - - - text/plain - - - - - AllowSimpleDevicePassword - - - - - - - - Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. - - - - - - - - - - - text/plain - - - - - AlphanumericDevicePasswordRequired - - - - - - - - Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 - - - - - - - - - - - text/plain - - - - - DevicePasswordEnabled - - - - - - - - Specifies whether device lock is enabled. - - - - - - - - - - - text/plain - - - - - DevicePasswordExpiration - - - - - - - - Specifies when the password expires (in days). - - - - - - - - - - - text/plain - - - - - DevicePasswordHistory - - - - - - - - Specifies how many passwords can be stored in the history that can’t be used. - - - - - - - - - - - text/plain - - - - - EnforceLockScreenAndLogonImage - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnforceLockScreenProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxDevicePasswordFailedAttempts - - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxInactivityTimeDeviceLock - - - - - - - - The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - - - - - - - - - - - text/plain - - - - - MaxInactivityTimeDeviceLockWithExternalDisplay - - - - - - - - Sets the maximum timeout value for the external display. - - - - - - - - - - - text/plain - - - - - MinDevicePasswordComplexCharacters - - - - - - - - The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. - - - - - - - - - - - text/plain - - - - - MinDevicePasswordLength - - - - - - - - Specifies the minimum number or characters required in the PIN or password. - - - - - - - - - - - text/plain - - - - - MinimumPasswordAge - - - - - - - - This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. - -The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. - -Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. - - - - - - - - - - - text/plain - - - - - PreventEnablingLockScreenCamera - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventLockScreenSlideShow - - - - - - - - - - - - - - - - - - - text/plain - - - - - Display - - - - - - - - - - - - - - - - - - - - - DisablePerProcessDpiForApps - - - - - - - - This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - - - - EnablePerProcessDpi - - - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - - - EnablePerProcessDpiForApps - - - - - - - - This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - - - - TurnOffGdiDPIScalingForApps - - - - - - - - This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - - - - TurnOnGdiDPIScalingForApps - - - - - - - - This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - - - - - DmaGuard - - - - - - - - - - - - - - - - - - - - - DeviceEnumerationPolicy - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ErrorReporting - - - - - - - - - - - - - - - - - - - - - CustomizeConsentSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableWindowsErrorReporting - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisplayErrorNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotSendAdditionalData - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventCriticalErrorDisplay - - - - - - - - - - - - - - - - - - - text/plain - - - - - - EventLogService - - - - - - - - - - - - - - - - - - - - - ControlEventLogBehavior - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaximumFileSizeApplicationLog - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaximumFileSizeSecurityLog - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaximumFileSizeSystemLog - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Experience - - - - - - - - - - - - - - - - - - - - - AllowClipboardHistory - - - - - - - - Allows history of clipboard items to be stored in memory. - - - - - - - - - - - text/plain - - - - - AllowCopyPaste - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCortana - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeviceDiscovery - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFindMyDevice - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowManualMDMUnenrollment - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSaveAsOfOfficeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowScreenCapture - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSharingOfOfficeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSIMErrorDialogPromptWhenNoSIM - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSyncMySettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTaskSwitcher - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVoiceRecording - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsConsumerFeatures - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsTips - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCloudOptimizedContent - - - - - - - - This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. - - - - - - - - - - - text/plain - - - - - DoNotShowFeedbackNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotSyncBrowserSettings - - - - - - - - You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. - Related policy: PreventUsersFromTurningOnBrowserSyncing - 0 (default) = allow syncing, 2 = disable syncing - - - - - - - - - - - text/plain - - - - - PreventUsersFromTurningOnBrowserSyncing - - - - - - - - You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSettings - 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing - - - - - - - - - - - text/plain - - - - - ShowLockOnUserTile - - - - - - - - Shows or hides lock from the user tile menu. -If you enable this policy setting, the lock option will be shown in the User Tile menu. - -If you disable this policy setting, the lock option will never be shown in the User Tile menu. - -If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. - - - - - - - - - - - text/plain - - - - - - ExploitGuard - - - - - - - - - - - - - - - - - - - - - ExploitProtectionSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - - FactoryComposer - - - - - - - - - - - - - - - - - - - - - BackgroundImagePath - - - - - - - - - - - - - - - - - - - text/plain - - - - - OEMVersion - - - - - - - - - - - - - - - - - - - text/plain - - - - - UserToSignIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - UWPLaunchOnBoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - - FileExplorer - - - - - - - - - - - - - - - - - - - - - TurnOffDataExecutionPreventionForExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffHeapTerminationOnCorruption - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Games - - - - - - - - - - - - - - - - - - - - - AllowAdvancedGamingServices - - - - - - - - Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. - - - - - - - - - - - text/plain - - - - - - Handwriting - - - - - - - - - - - - - - - - - - - - - PanelDefaultModeDocked - - - - - - - - Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen - - - - - - - - - - - text/plain - - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAddOnList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFallbackToSSL3 - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCompatView - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableGeolocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableProxyChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableUpdateCheck - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowUsersToAddSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowUsersToChangePolicies - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - - - text/plain - - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - - - text/plain - - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - SearchProviderList - - - - - - - - - - - - - - - - - - - text/plain - - - - - SecurityZonesUseOnlyMachineSettings - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Kerberos - - - - - - - - - - - - - - - - - - - - - AllowForestSearchOrder - - - - - - - - - - - - - - - - - - - text/plain - - - - - KerberosClientSupportsClaimsCompoundArmor - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireKerberosArmoring - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireStrictKDCValidation - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetMaximumContextTokenSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - UPNNameHints - - - - - - - - Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. - - This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. - - - - - - - - - - - text/plain - - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - - - - BlockedUrls - - - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - - - - DefaultURL - - - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - - - - EnableEndSessionButton - - - - - - - - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - - - EnableHomeButton - - - - - - - - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - - - EnableNavigationButtons - - - - - - - - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - - - RestartOnIdleTime - - - - - - - - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - - - - LanmanWorkstation - - - - - - - - - - - - - - - - - - - - - EnableInsecureGuestLogons - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Licensing - - - - - - - - - - - - - - - - - - - - - AllowWindowsEntitlementReactivation - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowKMSClientOnlineAVSValidation - - - - - - - - - - - - - - - - - - - text/plain - - - - - - LocalPoliciesSecurityOptions - - - - - - - - - - - - - - - - - - - - - Accounts_BlockMicrosoftAccounts - - - - - - - - This policy setting prevents users from adding new Microsoft accounts on this computer. - -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. - -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. - -If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. - - - - - - - - - - - text/plain - - - - - Accounts_EnableAdministratorAccountStatus - - - - - - - - This security setting determines whether the local Administrator account is enabled or disabled. - -Notes - -If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. -Disabling the Administrator account can become a maintenance issue under certain circumstances. - -Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - Accounts_EnableGuestAccountStatus - - - - - - - - This security setting determines if the Guest account is enabled or disabled. - -Default: Disabled. - -Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. - - - - - - - - - - - text/plain - - - - - Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - - - - - - - - Accounts: Limit local account use of blank passwords to console logon only - -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. - -Default: Enabled. - - -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. -If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. - -Notes - -This setting does not affect logons that use domain accounts. -It is possible for applications that use remote interactive logons to bypass this setting. - - - - - - - - - - - text/plain - - - - - Accounts_RenameAdministratorAccount - - - - - - - - Accounts: Rename administrator account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. - -Default: Administrator. - - - - - - - - - - - text/plain - - - - - Accounts_RenameGuestAccount - - - - - - - - Accounts: Rename guest account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. - -Default: Guest. - - - - - - - - - - - text/plain - - - - - Devices_AllowedToFormatAndEjectRemovableMedia - - - - - - - - Devices: Allowed to format and eject removable media - -This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: - -Administrators -Administrators and Interactive Users - -Default: This policy is not defined and only Administrators have this ability. - - - - - - - - - - - text/plain - - - - - Devices_AllowUndockWithoutHavingToLogon - - - - - - - - Devices: Allow undock without having to log on -This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. -Default: Enabled. - -Caution -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. - - - - - - - - - - - text/plain - - - - - Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters - - - - - - - - Devices: Prevent users from installing printer drivers when connecting to shared printers - -For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. - -Default on servers: Enabled. -Default on workstations: Disabled - -Notes - -This setting does not affect the ability to add a local printer. -This setting does not affect Administrators. - - - - - - - - - - - text/plain - - - - - Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly - - - - - - - - Devices: Restrict CD-ROM access to locally logged-on user only - -This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. - -If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. - -Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked - - - - - - - - Interactive Logon:Display user information when the session is locked -User display name, domain and user names (1) -User display name only (2) -Do not display user information (3) -Domain and user names only (4) - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DoNotDisplayLastSignedIn - - - - - - - - Interactive logon: Don't display last signed-in -This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DoNotDisplayUsernameAtSignIn - - - - - - - - Interactive logon: Don't display username at sign-in -This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_DoNotRequireCTRLALTDEL - - - - - - - - Interactive logon: Do not require CTRL+ALT+DEL - -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. - -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. - -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. - -Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. -Default on stand-alone computers: Enabled. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_MachineInactivityLimit - - - - - - - - Interactive logon: Machine inactivity limit. - -Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. - -Default: not enforced. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_MessageTextForUsersAttemptingToLogOn - - - - - - - - Interactive logon: Message text for users attempting to log on - -This security setting specifies a text message that is displayed to users when they log on. - -This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. - -Default: No message. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_MessageTitleForUsersAttemptingToLogOn - - - - - - - - Interactive logon: Message title for users attempting to log on - -This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. - -Default: No message. - - - - - - - - - - - text/plain - - - - - InteractiveLogon_SmartCardRemovalBehavior - - - - - - - - Interactive logon: Smart card removal behavior - -This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. - -The options are: - - No Action - Lock Workstation - Force Logoff - Disconnect if a Remote Desktop Services session - -If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. - -If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. - -If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. - -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - -Default: This policy is not defined, which means that the system treats it as No action. - -On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkClient_DigitallySignCommunicationsAlways - - - - - - - - Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled. - -Important - -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees - - - - - - - - Microsoft network client: Digitally sign communications (if server agrees) - -This security setting determines whether the SMB client attempts to negotiate SMB packet signing. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. - -If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers - - - - - - - - Microsoft network client: Send unencrypted password to connect to third-party SMB servers - -If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. - -Sending unencrypted passwords is a security risk. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways - - - - - - - - Microsoft network server: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB server component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. - -If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. - -Default: - -Disabled for member servers. -Enabled for domain controllers. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. - -Important - -For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: -Microsoft network server: Digitally sign communications (if server agrees) - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: -HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees - - - - - - - - Microsoft network server: Digitally sign communications (if client agrees) - -This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. - -If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled on domain controllers only. - -Important - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts - - - - - - - - Network access: Do not allow anonymous enumeration of SAM accounts - -This security setting determines what additional permissions will be granted for anonymous connections to the computer. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. - -This security option allows additional restrictions to be placed on anonymous connections as follows: - -Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. -Disabled: No additional restrictions. Rely on default permissions. - -Default on workstations: Enabled. -Default on server:Enabled. - -Important - -This policy has no impact on domain controllers. - - - - - - - - - - - text/plain - - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares - - - - - - - - Network access: Do not allow anonymous enumeration of SAM accounts and shares - -This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares - - - - - - - - Network access: Restrict anonymous access to Named Pipes and Shares - -When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: - -Network access: Named pipes that can be accessed anonymously -Network access: Shares that can be accessed anonymously -Default: Enabled. - - - - - - - - - - - text/plain - - - - - NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM - - - - - - - - Network access: Restrict clients allowed to make remote calls to SAM - -This policy setting allows you to restrict remote rpc connections to SAM. - -If not selected, the default security descriptor will be used. - -This policy is supported on at least Windows Server 2016. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM - - - - - - - - Network security: Allow Local System to use computer identity for NTLM - -This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. - -If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. - -If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. - -By default, this policy is enabled on Windows 7 and above. - -By default, this policy is disabled on Windows Vista. - -This policy is supported on at least Windows Vista or Windows Server 2008. - -Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_AllowPKU2UAuthenticationRequests - - - - - - - - Network security: Allow PKU2U authentication requests to this computer to use online identities. - -This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange - - - - - - - - Network security: Do not store LAN Manager hash value on next password change - -This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. - - -Default on Windows Vista and above: Enabled -Default on Windows XP: Disabled. - -Important - -Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_LANManagerAuthenticationLevel - - - - - - - - Network security LAN Manager authentication level - -This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: - -Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - -Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). - -Important - -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. - -Default: - -Windows 2000 and windows XP: send LM and NTLM responses - -Windows Server 2003: Send NTLM response only - -Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only - - - - - - - - - - - text/plain - - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients - - - - - - - - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - -This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. -Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers - - - - - - - - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - -This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. -Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication - - - - - - - - Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. - -If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. - -If you do not configure this policy setting, no exceptions will be applied. - -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic - - - - - - - - Network security: Restrict NTLM: Audit Incoming NTLM Traffic - -This policy setting allows you to audit incoming NTLM traffic. - -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. - -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. - -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic - - - - - - - - Network security: Restrict NTLM: Incoming NTLM traffic - -This policy setting allows you to deny or allow incoming NTLM traffic. - -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. - -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. - -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - - - NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers - - - - - - - - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - -This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. - -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. - -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. - -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - - - Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn - - - - - - - - Shutdown: Allow system to be shut down without having to log on - -This security setting determines whether a computer can be shut down without having to log on to Windows. - -When this policy is enabled, the Shut Down command is available on the Windows logon screen. - -When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. - -Default on workstations: Enabled. -Default on servers: Disabled. - - - - - - - - - - - text/plain - - - - - Shutdown_ClearVirtualMemoryPageFile - - - - - - - - Shutdown: Clear virtual memory pagefile - -This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. - -Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. - -When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - - - UserAccountControl_AllowUIAccessApplicationsToPromptForElevation - - - - - - - - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. - -This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - - - - - - - - - - - text/plain - - - - - UserAccountControl_BehaviorOfTheElevationPromptForAdministrators - - - - - - - - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -This policy setting controls the behavior of the elevation prompt for administrators. - -The options are: - -• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - - - - - - - - - - - text/plain - - - - - UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers - - - - - - - - User Account Control: Behavior of the elevation prompt for standard users -This policy setting controls the behavior of the elevation prompt for standard users. - -The options are: - -• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - - - - - - - - - - text/plain - - - - - UserAccountControl_DetectApplicationInstallationsAndPromptForElevation - - - - - - - - User Account Control: Detect application installations and prompt for elevation - -This policy setting controls the behavior of application installation detection for the computer. - -The options are: - -Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. - - - - - - - - - - - text/plain - - - - - UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated - - - - - - - - User Account Control: Only elevate executable files that are signed and validated - -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. - -The options are: - -• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. - -• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. - - - - - - - - - - - text/plain - - - - - UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations - - - - - - - - User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows - -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. - -The options are: - -• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - -• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. - - - - - - - - - - - text/plain - - - - - UserAccountControl_RunAllAdministratorsInAdminApprovalMode - - - - - - - - User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: - -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - - - - - - - - - - - text/plain - - - - - UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation - - - - - - - - User Account Control: Switch to the secure desktop when prompting for elevation - -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. - -The options are: - -• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. - - - - - - - - - - - text/plain - - - - - UserAccountControl_UseAdminApprovalMode - - - - - - - - User Account Control: Use Admin Approval Mode for the built-in Administrator account - -This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -The options are: - -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. - - - - - - - - - - - text/plain - - - - - UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations - - - - - - - - User Account Control: Virtualize file and registry write failures to per-user locations - -This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. - -The options are: - -• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - -• Disabled: Applications that write data to protected locations fail. - - - - - - - - - - - text/plain - - - - - - LocalUsersAndGroups - - - - - - - - - - - - - - - - - - - - - Configure - - - - - - - - This Setting allows an administrator to manage local groups on a Device. - Possible settings: - 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. - When using Update, existing group members that are not specified in the policy remain untouched. - 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. - When using Replace, existing group membership is replaced by the list of members specified in - the add member section. This option works in the same way as a Restricted Group and any group - members that are not specified in the policy are removed. - Caution: If the same group is configured with both Replace and Update, then Replace will win. - - - - - - - - - - - text/plain - - - - - - LockDown - - - - - - - - - - - - - - - - - - - - - AllowEdgeSwipe - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Maps - - - - - - - - - - - - - - - - - - - - - AllowOfflineMapsDownloadOverMeteredConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableOfflineMapsAutoUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Messaging - - - - - - - - - - - - - - - - - - - - - AllowMessageSync - - - - - - - - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. - - - - - - - - - - - text/plain - - - - - AllowMMS - - - - - - - - This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. - - - - - - - - - - - text/plain - - - - - AllowRCS - - - - - - - - This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. - - - - - - - - - - - text/plain - - - - - - MixedReality - - - - - - - - - - - - - - - - - - - - - AADGroupMembershipCacheValidityInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - BrightnessButtonDisabled - - - - - - - - - - - - - - - - - - - text/plain - - - - - FallbackDiagnostics - - - - - - - - - - - - - - - - - - - text/plain - - - - - MicrophoneDisabled - - - - - - - - - - - - - - - - - - - text/plain - - - - - VolumeButtonDisabled - - - - - - - - - - - - - - - - - - - text/plain - - - - - - MSSecurityGuide - - - - - - - - - - - - - - - - - - - - - ApplyUACRestrictionsToLocalAccountsOnNetworkLogon - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureSMBV1ClientDriver - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureSMBV1Server - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableStructuredExceptionHandlingOverwriteProtection - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications - - - - - - - - - - - - - - - - - - - text/plain - - - - - WDigestAuthentication - - - - - - - - - - - - - - - - - - - text/plain - - - - - - MSSLegacy - - - - - - - - - - - - - - - - - - - - - AllowICMPRedirectsToOverrideOSPFGeneratedRoutes - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers - - - - - - - - - - - - - - - - - - - text/plain - - - - - IPSourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - IPv6SourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - - NetworkIsolation - - - - - - - - - - - - - - - - - - - - - EnterpriseCloudResources - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseInternalProxyServers - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseIPRange - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseIPRangesAreAuthoritative - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseNetworkDomainNames - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseProxyServers - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnterpriseProxyServersAreAuthoritative - - - - - - - - - - - - - - - - - - - text/plain - - - - - NeutralResources - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Notifications - - - - - - - - - - - - - - - - - - - - - DisallowCloudNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Power - - - - - - - - - - - - - - - - - - - - - AllowStandbyStatesWhenSleepingOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStandbyWhenSleepingPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisplayOffTimeoutOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisplayOffTimeoutPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnergySaverBatteryThresholdOnBattery - - - - - - - - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - EnergySaverBatteryThresholdPluggedIn - - - - - - - - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - HibernateTimeoutOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - HibernateTimeoutPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePasswordWhenComputerWakesOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePasswordWhenComputerWakesPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - SelectLidCloseActionOnBattery - - - - - - - - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectLidCloseActionPluggedIn - - - - - - - - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectPowerButtonActionOnBattery - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectPowerButtonActionPluggedIn - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectSleepButtonActionOnBattery - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - SelectSleepButtonActionPluggedIn - - - - - - - - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - - - StandbyTimeoutOnBattery - - - - - - - - - - - - - - - - - - - text/plain - - - - - StandbyTimeoutPluggedIn - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffHybridSleepOnBattery - - - - - - - - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - TurnOffHybridSleepPluggedIn - - - - - - - - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - - - UnattendedSleepTimeoutOnBattery - - - - - - - - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - - - UnattendedSleepTimeoutPluggedIn - - - - - - - - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - - - - Printers - - - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions - - - - - - - - - - - - - - - - - - - text/plain - - - - - PublishPrinters - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Privacy - - - - - - - - - - - - - - - - - - - - - AllowAutoAcceptPairingAndPrivacyConsentPrompts - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCrossDeviceClipboard - - - - - - - - Allows syncing of Clipboard across devices under the same Microsoft account. - - - - - - - - - - - text/plain - - - - - AllowInputPersonalization - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAdvertisingId - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisablePrivacyExperience - - - - - - - - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - - - EnableActivityFeed - - - - - - - - Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo - - - - - - - - This policy setting specifies whether Windows apps can access account information. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessAccountInfo_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception - - - - - - - - This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar - - - - - - - - This policy setting specifies whether Windows apps can access the calendar. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCalendar_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory - - - - - - - - This policy setting specifies whether Windows apps can access call history. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCallHistory_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera - - - - - - - - This policy setting specifies whether Windows apps can access the camera. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessCamera_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts - - - - - - - - This policy setting specifies whether Windows apps can access contacts. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessContacts_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail - - - - - - - - This policy setting specifies whether Windows apps can access email. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessEmail_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput - - - - - - - - This policy setting specifies whether Windows apps can access the eye tracker. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessGazeInput_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation - - - - - - - - This policy setting specifies whether Windows apps can access location. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessLocation_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging - - - - - - - - This policy setting specifies whether Windows apps can read or send messages (text or MMS). - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMessaging_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone - - - - - - - - This policy setting specifies whether Windows apps can access the microphone. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMicrophone_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion - - - - - - - - This policy setting specifies whether Windows apps can access motion data. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessMotion_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications - - - - - - - - This policy setting specifies whether Windows apps can access notifications. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessNotifications_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone - - - - - - - - This policy setting specifies whether Windows apps can make phone calls - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessPhone_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios - - - - - - - - This policy setting specifies whether Windows apps have access to control radios. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessRadios_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks - - - - - - - - This policy setting specifies whether Windows apps can access tasks. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTasks_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices - - - - - - - - This policy setting specifies whether Windows apps can access trusted devices. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsAccessTrustedDevices_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsActivateWithVoice - - - - - - - - This policy setting specifies whether Windows apps can be activated by voice. - - - - - - - - - - - text/plain - - - - - LetAppsActivateWithVoiceAboveLock - - - - - - - - This policy setting specifies whether Windows apps can be activated by voice while the system is locked. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo - - - - - - - - This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsGetDiagnosticInfo_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground - - - - - - - - This policy setting specifies whether Windows apps can run in the background. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsRunInBackground_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices - - - - - - - - This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices_ForceAllowTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices_ForceDenyTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - LetAppsSyncWithDevices_UserInControlOfTheseApps - - - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - - - - PublishUserActivities - - - - - - - - Allows apps/system to publish 'User Activities' into ActivityFeed. - - - - - - - - - - - text/plain - - - - - UploadUserActivities - - - - - - - - Allows ActivityFeed to upload published 'User Activities'. - - - - - - - - - - - text/plain - - - - - - RemoteAssistance - - - - - - - - - - - - - - - - - - - - - CustomizeWarningMessages - - - - - - - - - - - - - - - - - - - text/plain - - - - - SessionLogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - SolicitedRemoteAssistance - - - - - - - - - - - - - - - - - - - text/plain - - - - - UnsolicitedRemoteAssistance - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteDesktopServices - - - - - - - - - - - - - - - - - - - - - AllowUsersToConnectRemotely - - - - - - - - - - - - - - - - - - - text/plain - - - - - ClientConnectionEncryptionLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowDriveRedirection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotAllowPasswordSaving - - - - - - - - - - - - - - - - - - - text/plain - - - - - PromptForPasswordUponConnection - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireSecureRPCCommunication - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteManagement - - - - - - - - - - - - - - - - - - - - - AllowBasicAuthentication_Client - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowBasicAuthentication_Service - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCredSSPAuthenticationClient - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCredSSPAuthenticationService - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRemoteServerManagement - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUnencryptedTraffic_Client - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUnencryptedTraffic_Service - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowDigestAuthentication - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowNegotiateAuthenticationClient - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowNegotiateAuthenticationService - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowStoringOfRunAsCredentials - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyChannelBindingTokenHardeningLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - TrustedHosts - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOnCompatibilityHTTPListener - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOnCompatibilityHTTPSListener - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteProcedureCall - - - - - - - - - - - - - - - - - - - - - RestrictUnauthenticatedRPCClients - - - - - - - - - - - - - - - - - - - text/plain - - - - - RPCEndpointMapperClientAuthentication - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RemoteShell - - - - - - - - - - - - - - - - - - - - - AllowRemoteShellAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxConcurrentUsers - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyIdleTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaxMemory - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaxProcesses - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyMaxRemoteShells - - - - - - - - - - - - - - - - - - - text/plain - - - - - SpecifyShellTimeout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - RestrictedGroups - - - - - - - - - - - - - - - - - - - - - ConfigureGroupMembership - - - - - - - - This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. -Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. - - - - - - - - - - - text/plain - - - - - - Search - - - - - - - - - - - - - - - - - - - - - AllowCloudSearch - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCortanaInAAD - - - - - - - - This features allows you to show the cortana opt-in page during Windows Setup - - - - - - - - - - - text/plain - - - - - AllowFindMyFiles - - - - - - - - This feature allows you to disable find my files completely on the machine - - - - - - - - - - - text/plain - - - - - AllowIndexingEncryptedStoresOrItems - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSearchToUseLocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStoringImagesFromVisionSearch - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUsingDiacritics - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsIndexer - - - - - - - - - - - - - - - - - - - text/plain - - - - - AlwaysUseAutoLangDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableBackoff - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableRemovableDriveIndexing - - - - - - - - - - - - - - - - - - - text/plain - - - - - DoNotUseWebResults - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventIndexingLowDiskSpaceMB - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventRemoteQueries - - - - - - - - - - - - - - - - - - - text/plain - - - - - SafeSearchPermissions - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Security - - - - - - - - - - - - - - - - - - - - - AllowAddProvisioningPackage - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowManualRootCertificateInstallation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRemoveProvisioningPackage - - - - - - - - - - - - - - - - - - - text/plain - - - - - AntiTheftMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - ClearTPMIfNotReady - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureWindowsPasswords - - - - - - - - Configures the use of passwords for Windows features - - - - - - - - - - - text/plain - - - - - PreventAutomaticDeviceEncryptionForAzureADJoinedDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - RecoveryEnvironmentAuthentication - - - - - - - - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - - - RequireDeviceEncryption - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireProvisioningPackageSignature - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireRetrieveHealthCertificateOnBoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - - ServiceControlManager - - - - - - - - - - - - - - - - - - - - - SvchostProcessMitigation - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Settings - - - - - - - - - - - - - - - - - - - - - AllowAutoPlay - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDataSense - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDateTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowEditDeviceName - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLanguage - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowOnlineTips - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowPowerSleep - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowRegion - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowSignInOptions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowVPN - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWorkplace - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowYourAccount - - - - - - - - - - - - - - - - - - - text/plain - - - - - PageVisibilityList - - - - - - - - - - - - - - - - - - - text/plain - - - - - - SmartScreen - - - - - - - - - - - - - - - - - - - - - EnableAppInstallControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableSmartScreenInShell - - - - - - - - - - - - - - - - - - - text/plain - - - - - PreventOverrideForFilesInShell - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Speech - - - - - - - - - - - - - - - - - - - - - AllowSpeechModelUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Start - - - - - - - - - - - - - - - - - - - - - AllowPinnedFolderDocuments - - - - - - - - This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderDownloads - - - - - - - - This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderFileExplorer - - - - - - - - This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderHomeGroup - - - - - - - - This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderMusic - - - - - - - - This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderNetwork - - - - - - - - This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderPersonalFolder - - - - - - - - This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderPictures - - - - - - - - This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderSettings - - - - - - - - This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - AllowPinnedFolderVideos - - - - - - - - This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - - - DisableContextMenus - - - - - - - - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - - - ForceStartSize - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideAppList - - - - - - - - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideChangeAccountSettings - - - - - - - - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HideFrequentlyUsedApps - - - - - - - - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideHibernate - - - - - - - - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideLock - - - - - - - - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HidePowerButton - - - - - - - - Enabling this policy hides the power button from appearing in the start menu. - - - - - - - - - - - text/plain - - - - - HideRecentJumplists - - - - - - - - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideRecentlyAddedApps - - - - - - - - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - - - HideRestart - - - - - - - - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideShutDown - - - - - - - - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideSignOut - - - - - - - - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HideSleep - - - - - - - - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - - - HideSwitchAccount - - - - - - - - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - - - HideUserTile - - - - - - - - Enabling this policy hides the user tile from appearing in the start menu. - - - - - - - - - - - text/plain - - - - - ImportEdgeAssets - - - - - - - - This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. - - - - - - - - - - - text/plain - - - - - NoPinningToTaskbar - - - - - - - - This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. - - - - - - - - - - - text/plain - - - - - StartLayout - - - - - - - - - - - - - - - - - - - text/plain - - - - - - Storage - - - - - - - - - - - - - - - - - - - - - AllowDiskHealthModelUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStorageSenseGlobal - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStorageSenseTemporaryFilesCleanup - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseCloudContentDehydrationThreshold - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseDownloadsCleanupThreshold - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseGlobalCadence - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigStorageSenseRecycleBinCleanupThreshold - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnhancedStorageDevices - - - - - - - - - - - - - - - - - - - text/plain - - - - - RemovableDiskDenyWriteAccess - - - - - - - - If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - - - - - - - - - - - text/plain - - - - - - System - - - - - - - - - - - - - - - - - - - - - AllowBuildPreview - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowCommercialDataPipeline - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowDeviceNameInDiagnosticData - - - - - - - - This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. - - - - - - - - - - - text/plain - - - - - AllowEmbeddedMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowExperimentation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowFontProviders - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLocation - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowStorageCard - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowTelemetry - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUserToResetPhone - - - - - - - - - - - - - - - - - - - text/plain - - - - - BootStartDriverInitialization - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureMicrosoft365UploadEndpoint - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryOptInChangeNotification - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureTelemetryOptInSettingsUx - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeviceDelete - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDiagnosticDataViewer - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDirectXDatabaseUpdate - - - - - - - - This group policy allows control over whether the DirectX Database Updater task will be run on the system. - - - - - - - - - - - text/plain - - - - - DisableEnterpriseAuthProxy - - - - - - - - This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - - - - - - - - - text/plain - - - - - DisableOneDriveFileSync - - - - - - - - This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - - - - - - - - - text/plain - - - - - DisableSystemRestore - - - - - - - - - - - - - - - - - - - text/plain - - - - - FeedbackHubAlwaysSaveDiagnosticsLocally - - - - - - - - Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. - - - - - - - - - - - text/plain - - - - - LimitEnhancedDiagnosticDataWindowsAnalytics - - - - - - - - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. - - - - - - - - - - - text/plain - - - - - TelemetryProxy - - - - - - - - - - - - - - - - - - - text/plain - - - - - TurnOffFileHistory - - - - - - - - This policy setting allows you to turn off File History. - -If you enable this policy setting, File History cannot be activated to create regular, automatic backups. - -If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. - - - - - - - - - - - text/plain - - - - - - SystemServices - - - - - - - - - - - - - - - - - - - - - ConfigureHomeGroupListenerServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureHomeGroupProviderServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxAccessoryManagementServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxLiveAuthManagerServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxLiveGameSaveServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - ConfigureXboxLiveNetworkingServiceStartupMode - - - - - - - - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - - - - TaskManager - - - - - - - - - - - - - - - - - - - - - AllowEndTask - - - - - - - - This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled - - - - - - - - - - - text/plain - - - - - - TaskScheduler - - - - - - - - - - - - - - - - - - - - - EnableXboxGameSaveTask - - - - - - - - This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. - - - - - - - - - - - text/plain - - - - - - TextInput - - - - - - - - - - - - - - - - - - - - - AllowHardwareKeyboardTextSuggestions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIMELogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowIMENetworkAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInputPanel - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseIMESurrogatePairCharacters - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseIVSCharacters - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseNonPublishingStandardGlyph - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowJapaneseUserDictionary - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowKeyboardTextSuggestions - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLanguageFeaturesUninstall - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowLinguisticDataCollection - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureJapaneseIMEVersion - - - - - - - - This policy allows the IT admin to configure the Microsoft Japanese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Japanese IME is on by default. Allow to control Microsoft Japanese IME version to use. -1 - The previous version of Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. -2 - The new Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. - - - - - - - - - - - text/plain - - - - - ConfigureSimplifiedChineseIMEVersion - - - - - - - - This policy allows the IT admin to configure the Microsoft Simplified Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Simplified Chinese IME is on by default. Allow to control Microsoft Simplified Chinese IME version to use. -1 - The previous version of Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. -2 - The new Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. - - - - - - - - - - - text/plain - - - - - ConfigureTraditionalChineseIMEVersion - - - - - - - - This policy allows the IT admin to configure the Microsoft Traditional Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Traditional Chinese IME is on by default. Allow to control Microsoft Traditional Chinese IME version to use. -1 - The previous version of Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. -2 - The new Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. - - - - - - - - - - - text/plain - - - - - EnableTouchKeyboardAutoInvokeInDesktopMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeJapaneseIMEExceptJIS0208 - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeJapaneseIMEExceptJIS0208andEUDC - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeJapaneseIMEExceptShiftJIS - - - - - - - - - - - - - - - - - - - text/plain - - - - - ForceTouchKeyboardDockedState - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardDictationButtonAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardEmojiButtonAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardFullModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardHandwritingModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardNarrowModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardSplitModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - TouchKeyboardWideModeAvailability - - - - - - - - - - - - - - - - - - - text/plain - - - - - - TimeLanguageSettings - - - - - - - - - - - - - - - - - - - - - AllowSet24HourClock - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureTimeZone - - - - - - - - Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. - - - - - - - - - - - text/plain - - - - - - Troubleshooting - - - - - - - - - - - - - - - - - - - - - AllowRecommendations - - - - - - - - This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it's applied to their domains/IT environments. -Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied. - -Enabling this policy allows you to configure how recommended troubleshooting is applied on the user's device. You can select from one of the following values: -0 = Turn this feature off. -1 = Turn this feature off but still apply critical troubleshooting. -2 = Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. -3 = Run recommended troubleshooting automatically and notify the user after it's been successfully run. -4 = Run recommended troubleshooting automatically without notifying the user. -5 = Allow the user to choose their own recommended troubleshooting settings. - - - - - - - - - - - text/plain - - - - - - Update - - - - - - - - - - - - - - - - - - - - - ActiveHoursEnd - - - - - - - - - - - - - - - - - - - text/plain - - - - - ActiveHoursMaxRange - - - - - - - - - - - - - - - - - - - text/plain - - - - - ActiveHoursStart - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAutoUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowAutoWindowsUpdateDownloadOverMeteredNetwork - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowMUUpdateService - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowNonMicrosoftSignedUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowUpdateService - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutomaticMaintenanceWakeUp - - - - - - - - This policy setting allows you to configure Automatic Maintenance wake up policy. - -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. - -If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. - -If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. - - - - - - - - - - - text/plain - - - - - AutoRestartDeadlinePeriodInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutoRestartDeadlinePeriodInDaysForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutoRestartNotificationSchedule - - - - - - - - - - - - - - - - - - - text/plain - - - - - AutoRestartRequiredNotificationDismissal - - - - - - - - - - - - - - - - - - - text/plain - - - - - BranchReadinessLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineForQualityUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineGracePeriod - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureDeadlineNoAutoReboot - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigureFeatureUpdateUninstallPeriod - - - - - - - - Enable enterprises/IT admin to configure feature update uninstall period - - - - - - - - - - - text/plain - - - - - DeferFeatureUpdatesPeriodInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - DeferQualityUpdatesPeriodInDays - - - - - - - - - - - - - - - - - - - text/plain - - - - - DeferUpdatePeriod - - - - - - - - - - - - - - - - - - - text/plain - - - - - DeferUpgradePeriod - - - - - - - - - - - - - - - - - - - text/plain - - - - - DetectionFrequency - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDualScan - - - - - - - - Do not allow update deferral policies to cause scans against Windows Update - - - - - - - - - - - text/plain - - - - - DisableWUfBSafeguards - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartDeadline - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartDeadlineForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartSnoozeSchedule - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartSnoozeScheduleForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartTransitionSchedule - - - - - - - - - - - - - - - - - - - text/plain - - - - - EngagedRestartTransitionScheduleForFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - ExcludeWUDriversInQualityUpdate - - - - - - - - - - - - - - - - - - - text/plain - - - - - FillEmptyContentUrls - - - - - - - - - - - - - - - - - - - text/plain - - - - - IgnoreMOAppDownloadLimit - - - - - - - - - - - - - - - - - - - text/plain - - - - - IgnoreMOUpdateDownloadLimit - - - - - - - - - - - - - - - - - - - text/plain - - - - - ManagePreviewBuilds - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseDeferrals - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseFeatureUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseFeatureUpdatesStartTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseQualityUpdates - - - - - - - - - - - - - - - - - - - text/plain - - - - - PauseQualityUpdatesStartTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - PhoneUpdateRestrictions - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireDeferUpgrade - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireUpdateApproval - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallDay - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallEveryWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallFirstWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallFourthWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallSecondWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallThirdWeek - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduledInstallTime - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleImminentRestartWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - ScheduleRestartWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetAutoRestartNotificationDisable - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDisablePauseUXAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetDisableUXWUAccess - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetEDURestart - - - - - - - - - - - - - - - - - - - text/plain - - - - - SetProxyBehaviorForUpdateDetection - - - - - - - - - - - - - - - - - - - text/plain - - - - - TargetReleaseVersion - - - - - - - - - - - - - - - - - - - text/plain - - - - - UpdateNotificationLevel - - - - - - - - - - - - - - - - - - - text/plain - - - - - UpdateServiceUrl - - - - - - - - - - - - - - - - - - - text/plain - - - - - UpdateServiceUrlAlternate - - - - - - - - - - - - - - - - - - - text/plain - - - - - - UserRights - - - - - - - - - - - - - - - - - - - - - AccessCredentialManagerAsTrustedCaller - - - - - - - - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. - - - - - - - - - - - text/plain - - - - - AccessFromNetwork - - - - - - - - This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - - - - - - - - - - - text/plain - - - - - ActAsPartOfTheOperatingSystem - - - - - - - - This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - AllowLocalLogOn - - - - - - - - This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. - - - - - - - - - - - text/plain - - - - - BackupFilesAndDirectories - - - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users - - - - - - - - - - - text/plain - - - - - ChangeSystemTime - - - - - - - - This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. - - - - - - - - - - - text/plain - - - - - CreateGlobalObjects - - - - - - - - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. - - - - - - - - - - - text/plain - - - - - CreatePageFile - - - - - - - - This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users - - - - - - - - - - - text/plain - - - - - CreatePermanentSharedObjects - - - - - - - - This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. - - - - - - - - - - - text/plain - - - - - CreateSymbolicLinks - - - - - - - - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. - - - - - - - - - - - text/plain - - - - - CreateToken - - - - - - - - This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - - - - DebugPrograms - - - - - - - - This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - DenyAccessFromNetwork - - - - - - - - This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. - - - - - - - - - - - text/plain - - - - - DenyLocalLogOn - - - - - - - - This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. - - - - - - - - - - - text/plain - - - - - DenyRemoteDesktopServicesLogOn - - - - - - - - This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. - - - - - - - - - - - text/plain - - - - - EnableDelegation - - - - - - - - This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. - - - - - - - - - - - text/plain - - - - - GenerateSecurityAudits - - - - - - - - This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. - - - - - - - - - - - text/plain - - - - - ImpersonateClient - - - - - - - - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. -1) The access token that is being impersonated is for this user. -2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. -3) The requested level is less than Impersonate, such as Anonymous or Identify. -Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. - - - - - - - - - - - text/plain - - - - - IncreaseSchedulingPriority - - - - - - - - This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. - - - - - - - - - - - text/plain - - - - - LoadUnloadDeviceDrivers - - - - - - - - This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - - - - LockMemory - - - - - - - - This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). - - - - - - - - - - - text/plain - - - - - ManageAuditingAndSecurityLog - - - - - - - - This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. - - - - - - - - - - - text/plain - - - - - ManageVolume - - - - - - - - This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. - - - - - - - - - - - text/plain - - - - - ModifyFirmwareEnvironment - - - - - - - - This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. - - - - - - - - - - - text/plain - - - - - ModifyObjectLabel - - - - - - - - This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. - - - - - - - - - - - text/plain - - - - - ProfileSingleProcess - - - - - - - - This user right determines which users can use performance monitoring tools to monitor the performance of system processes. - - - - - - - - - - - text/plain - - - - - RemoteShutdown - - - - - - - - This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. - - - - - - - - - - - text/plain - - - - - RestoreFilesAndDirectories - - - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - TakeOwnership - - - - - - - - This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - - - - - Wifi - - - - - - - - - - - - - - - - - - - - - AllowAutoConnectToWiFiSenseHotspots - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowInternetSharing - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowManualWiFiConfiguration - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWiFi - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWiFiDirect - - - - - - - - - - - - - - - - - - - text/plain - - - - - WLANScanMode - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsConnectionManager - - - - - - - - - - - - - - - - - - - - - ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsDefenderSecurityCenter - - - - - - - - - - - - - - - - - - - - - CompanyName - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAccountProtectionUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableAppBrowserUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableClearTpmButton - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableDeviceSecurityUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableEnhancedNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableFamilyUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableHealthUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableNetworkUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableTpmFirmwareUpdateWarning - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableVirusUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisallowExploitProtectionOverride - - - - - - - - - - - - - - - - - - - text/plain - - - - - Email - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableCustomizedToasts - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableInAppCustomization - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideRansomwareDataRecovery - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideSecureBoot - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideTPMTroubleshooting - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideWindowsSecurityNotificationAreaControl - - - - - - - - - - - - - - - - - - - text/plain - - - - - Phone - - - - - - - - - - - - - - - - - - - text/plain - - - - - URL - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsInkWorkspace - - - - - - - - - - - - - - - - - - - - - AllowSuggestedAppsInWindowsInkWorkspace - - - - - - - - - - - - - - - - - - - text/plain - - - - - AllowWindowsInkWorkspace - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WindowsLogon - - - - - - - - - - - - - - - - - - - - - AllowAutomaticRestartSignOn - - - - - - - - - - - - - - - - - - - text/plain - - - - - ConfigAutomaticRestartSignOn - - - - - - - - - - - - - - - - - - - text/plain - - - - - DisableLockScreenAppNotifications - - - - - - - - - - - - - - - - - - - text/plain - - - - - DontDisplayNetworkSelectionUI - - - - - - - - - - - - - - - - - - - text/plain - - - - - EnableFirstLogonAnimation - - - - - - - - This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. - -If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. - -If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. - -If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. - -Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. - - - - - - - - - - - text/plain - - - - - EnumerateLocalUsersOnDomainJoinedComputers - - - - - - - - - - - - - - - - - - - text/plain - - - - - HideFastUserSwitching - - - - - - - - This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. - - - - - - - - - - - text/plain - - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - - - text/plain - - - - - - WirelessDisplay - - - - - - - - - - - - - - - - - - - - - AllowMdnsAdvertisement - - - - - - - - This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. - - - - - - - - - - - text/plain - - - - - AllowMdnsDiscovery - - - - - - - - This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. - - - - - - - - - - - text/plain - - - - - AllowProjectionFromPC - - - - - - - - This policy allows you to turn off projection from a PC. - If you set it to 0, your PC cannot discover or project to other devices. - If you set it to 1, your PC can discover and project to other devices. - - - - - - - - - - - text/plain - - - - - AllowProjectionFromPCOverInfrastructure - - - - - - - - This policy allows you to turn off projection from a PC over infrastructure. - If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. - If you set it to 1, your PC can discover and project to other devices over infrastructure. - - - - - - - - - - - text/plain - - - - - AllowProjectionToPC - - - - - - - - This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to - If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. - - - - - - - - - - - text/plain - - - - - AllowProjectionToPCOverInfrastructure - - - - - - - - This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. - If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. - - - - - - - - - - - text/plain - - - - - AllowUserInputFromWirelessDisplayReceiver - - - - - - - - - - - - - - - - - - - text/plain - - - - - RequirePinForPairing - - - - - - - - This policy setting allows you to require a pin for pairing. - If you set this to 0, a pin isn't required for pairing. - If you set this to 1, the pairing ceremony for new devices will always require a PIN. - If you set this to 2, all pairings will require PIN. - - - - - - - - - - - text/plain - - - - - - - Result - - - - - - - - - - - - - - - - - - - AboveLock - - - - - - - - - - - - - - - - - - - AllowActionCenterNotifications - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowCortanaAboveLock - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowCortanaAboveLock - LowestValueMostSecure - - - - AllowToasts - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - - Accounts - - - - - - - - - - - - - - - - - - - AllowAddingNonMicrosoftAccountsManually - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowMicrosoftAccountConnection - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowMicrosoftAccountSignInAssistant - - - - - 1 - - - - - - - - - - - - text/plain - - - LastWrite - - - - DomainNamesForEmailSync - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - ActiveXControls - - - - - - - - - - - - - - - - - - - ApprovedInstallationSites - - - - - - - - - - - - - - - - - text/plain - - phone - ActiveXInstallService.admx - ActiveXInstallService~AT~WindowsComponents~AxInstSv - ApprovedActiveXInstallSites - LastWrite - - - - - ApplicationDefaults - - - - - - - - - - - - - - - - - - - DefaultAssociationsConfiguration - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsExplorer.admx - DefaultAssociationsConfiguration_TextBox - WindowsExplorer~AT~WindowsComponents~WindowsExplorer - DefaultAssociationsConfiguration - LastWrite - - - - EnableAppUriHandlers - - - - - 1 - Enables web-to-app linking, which allows apps to be launched with a http(s) URI - - - - - - - - - - - text/plain - - - GroupPolicy.admx - GroupPolicy~AT~System~PolicyPolicies - EnableAppUriHandlers - HighestValueMostSecure - - - - - ApplicationManagement - - - - - - - - - - - - - - - - - - - AllowAllTrustedApps - - - - - 65535 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - AppxDeploymentAllowAllTrustedApps - LowestValueMostSecure - - - - AllowAppStoreAutoUpdate - - - - - 2 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - DisableAutoInstall - LowestValueMostSecure - - - - AllowDeveloperUnlock - - - - - 65535 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - AllowDevelopmentWithoutDevLicense - LowestValueMostSecure - - - - AllowGameDVR - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - GameDVR.admx - GameDVR~AT~WindowsComponents~GAMEDVR - AllowGameDVR - LowestValueMostSecure - - - - AllowSharedUserAppData - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - AllowSharedLocalAppData - LowestValueMostSecure - - - - AllowStore - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - ApplicationRestrictions - - - - - - - - - - - - - - - - - text/plain - - desktop - LastWrite - - - - BlockNonAdminUserInstall - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - BlockNonAdminUserInstall - LowestValueMostSecure - - - - DisableStoreOriginatedApps - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - DisableStoreApps - LowestValueMostSecure - - - - LaunchAppAfterLogOn - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are to be launched after logon. - - - - - - - - - - - text/plain - - LastWrite - - - - MSIAllowUserControlOverInstall - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - MSI.admx - MSI~AT~WindowsComponents~MSI - EnableUserControl - HighestValueMostSecure - - - - MSIAlwaysInstallWithElevatedPrivileges - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - MSI.admx - MSI~AT~WindowsComponents~MSI - AlwaysInstallElevated - HighestValueMostSecure - - - - RequirePrivateStoreOnly - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsStore.admx - WindowsStore~AT~WindowsComponents~WindowsStore - RequirePrivateStoreOnly - HighestValueMostSecure - - - - RestrictAppDataToSystemVolume - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - RestrictAppDataToSystemVolume - LowestValueMostSecure - - - - RestrictAppToSystemVolume - - - - - 0 - - - - - - - - - - - - text/plain - - - AppxPackageManager.admx - AppxPackageManager~AT~WindowsComponents~AppxDeployment - DisableDeploymentToNonSystemVolumes - LowestValueMostSecure - - - - ScheduleForceRestartForUpdateFailures - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -]]> - - - - - AppRuntime - - - - - - - - - - - - - - - - - - - AllowMicrosoftAccountsToBeOptional - - - - - - - - - - - - - - - - - text/plain - - phone - AppXRuntime.admx - AppXRuntime~AT~WindowsComponents~AppXRuntime - AppxRuntimeMicrosoftAccountsOptional - LastWrite - - - - - AppVirtualization - - - - - - - - - - - - - - - - - - - AllowAppVClient - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV - EnableAppV - LastWrite - - - - AllowDynamicVirtualization - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Virtualization - Virtualization_JITVEnable - LastWrite - - - - AllowPackageCleanup - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_PackageManagement - PackageManagement_AutoCleanupEnable - LastWrite - - - - AllowPackageScripts - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Scripting - Scripting_Enable_Package_Scripts - LastWrite - - - - AllowPublishingRefreshUX - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Enable_Publishing_Refresh_UX - LastWrite - - - - AllowReportingServer - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Reporting - Reporting_Server_Policy - LastWrite - - - - AllowRoamingFileExclusions - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Roaming_File_Exclusions - LastWrite - - - - AllowRoamingRegistryExclusions - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Roaming_Registry_Exclusions - LastWrite - - - - AllowStreamingAutoload - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Steaming_Autoload - LastWrite - - - - ClientCoexistenceAllowMigrationmode - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Client_Coexistence - Client_Coexistence_Enable_Migration_mode - LastWrite - - - - IntegrationAllowRootGlobal - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Root_User - LastWrite - - - - IntegrationAllowRootUser - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Integration - Integration_Root_Global - LastWrite - - - - PublishingAllowServer1 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server1_Policy - LastWrite - - - - PublishingAllowServer2 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server2_Policy - LastWrite - - - - PublishingAllowServer3 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server3_Policy - LastWrite - - - - PublishingAllowServer4 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server4_Policy - LastWrite - - - - PublishingAllowServer5 - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Publishing - Publishing_Server5_Policy - LastWrite - - - - StreamingAllowCertificateFilterForClient_SSL - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Certificate_Filter_For_Client_SSL - LastWrite - - - - StreamingAllowHighCostLaunch - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Allow_High_Cost_Launch - LastWrite - - - - StreamingAllowLocationProvider - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Location_Provider - LastWrite - - - - StreamingAllowPackageInstallationRoot - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Package_Installation_Root - LastWrite - - - - StreamingAllowPackageSourceRoot - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Package_Source_Root - LastWrite - - - - StreamingAllowReestablishmentInterval - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Reestablishment_Interval - LastWrite - - - - StreamingAllowReestablishmentRetries - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Reestablishment_Retries - LastWrite - - - - StreamingSharedContentStoreMode - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Shared_Content_Store_Mode - LastWrite - - - - StreamingSupportBranchCache - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Support_Branch_Cache - LastWrite - - - - StreamingVerifyCertificateRevocationList - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Streaming - Streaming_Verify_Certificate_Revocation_List - LastWrite - - - - VirtualComponentsAllowList - - - - - - - - - - - - - - - - - text/plain - - phone - appv.admx - appv~AT~System~CAT_AppV~CAT_Virtualization - Virtualization_JITVAllowList - LastWrite - - - - - Audit - - - - - - - - - - - - - - - - - - - AccountLogon_AuditCredentialValidation - - - - - 0 - This policy setting allows you to audit events generated by validation tests on user account logon credentials. - -Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Credential Validation - LastWrite - - - - AccountLogon_AuditKerberosAuthenticationService - - - - - 0 - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Kerberos Authentication Service - LastWrite - - - - AccountLogon_AuditKerberosServiceTicketOperations - - - - - 0 - This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Kerberos Service Ticket Operations - LastWrite - - - - AccountLogon_AuditOtherAccountLogonEvents - - - - - 0 - This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. - -Currently, there are no events in this subcategory. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Logon - Audit Other Account Logon Events - LastWrite - - - - AccountLogonLogoff_AuditAccountLockout - - - - - 1 - This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. - -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -Logon events are essential for understanding user activity and to detect potential attacks. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Account Lockout - LastWrite - - - - AccountLogonLogoff_AuditGroupMembership - - - - - 0 - This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Group Membership - LastWrite - - - - AccountLogonLogoff_AuditIPsecExtendedMode - - - - - 0 - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit IPsec Extended Mode - LastWrite - - - - AccountLogonLogoff_AuditIPsecMainMode - - - - - 0 - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit IPsec Main Mode - LastWrite - - - - AccountLogonLogoff_AuditIPsecQuickMode - - - - - 0 - This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. - -If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If - you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit IPsec Quick Mode - LastWrite - - - - AccountLogonLogoff_AuditLogoff - - - - - 1 - This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. - -If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. -If you do not configure this policy setting, no audit event is generated when a logon session is closed. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Logoff - LastWrite - - - - AccountLogonLogoff_AuditLogon - - - - - 1 - This policy setting allows you to audit events generated by user account logon attempts on the computer. -Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: - Successful logon attempts. - Failed logon attempts. - Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. - Security identifiers (SIDs) were filtered and not allowed to log on. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Logon - LastWrite - - - - AccountLogonLogoff_AuditNetworkPolicyServer - - - - - 3 - This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. -If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. -If you do not configure this policy settings, IAS and NAP user access requests are not audited. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Network Policy Server - LastWrite - - - - AccountLogonLogoff_AuditOtherLogonLogoffEvents - - - - - 0 - This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: - Terminal Services session disconnections. - New Terminal Services sessions. - Locking and unlocking a workstation. - Invoking a screen saver. - Dismissal of a screen saver. - Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. - Access to a wireless network granted to a user or computer account. - Access to a wired 802.1x network granted to a user or computer account. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Other Logon Logoff Events - LastWrite - - - - AccountLogonLogoff_AuditSpecialLogon - - - - - 1 - This policy setting allows you to audit events generated by special logons such as the following : - The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121697). - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit Special Logon - LastWrite - - - - AccountLogonLogoff_AuditUserDeviceClaims - - - - - 0 - This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. - -When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Logon/Logoff - Audit User Device Claims - LastWrite - - - - AccountManagement_AuditApplicationGroupManagement - - - - - 0 - This policy setting allows you to audit events generated by changes to application groups such as the following: - Application group is created, changed, or deleted. - Member is added or removed from an application group. - -If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an application group changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Application Group Management - LastWrite - - - - AccountManagement_AuditComputerAccountManagement - - - - - 0 - This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. - -If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a computer account changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Computer Account Management - LastWrite - - - - AccountManagement_AuditDistributionGroupManagement - - - - - 0 - This policy setting allows you to audit events generated by changes to distribution groups such as the following: - Distribution group is created, changed, or deleted. - Member is added or removed from a distribution group. - Distribution group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a distribution group changes. - -Note: Events in this subcategory are logged only on domain controllers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Distributio Group Management - LastWrite - - - - AccountManagement_AuditOtherAccountManagementEvents - - - - - 0 - This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: - The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. - The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. - Changes to the Default Domain Group Policy under the following Group Policy paths: -Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy -Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Other Account Management Events - LastWrite - - - - AccountManagement_AuditSecurityGroupManagement - - - - - 1 - This policy setting allows you to audit events generated by changes to security groups such as the following: - Security group is created, changed, or deleted. - Member is added or removed from a security group. - Group type is changed. - -If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a security group changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit Security Group Management - LastWrite - - - - AccountManagement_AuditUserAccountManagement - - - - - 1 - This policy setting allows you to audit changes to user accounts. Events include the following: - A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. - A user account’s password is set or changed. - A security identifier (SID) is added to the SID History of a user account. - The Directory Services Restore Mode password is configured. - Permissions on administrative user accounts are changed. - Credential Manager credentials are backed up or restored. - -If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Account Management - Audit User Account Management - LastWrite - - - - DetailedTracking_AuditDPAPIActivity - - - - - 0 - This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. - -If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit DPAPI Activity - LastWrite - - - - DetailedTracking_AuditPNPActivity - - - - - 0 - This policy setting allows you to audit when plug and play detects an external device. - -If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. -If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit PNP Activity - LastWrite - - - - DetailedTracking_AuditProcessCreation - - - - - 0 - This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. - -If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process is created. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit Process Creation - LastWrite - - - - DetailedTracking_AuditProcessTermination - - - - - 0 - This policy setting allows you to audit events generated when a process ends. - -If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process ends. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit Process Termination - LastWrite - - - - DetailedTracking_AuditRPCEvents - - - - - 0 - This policy setting allows you to audit inbound remote procedure call (RPC) connections. - -If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit RPC Events - LastWrite - - - - DetailedTracking_AuditTokenRightAdjusted - - - - - 0 - This policy setting allows you to audit events generated by adjusting the privileges of a token. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Detailed Tracking - Audit Token Right Adjusted - LastWrite - - - - DSAccess_AuditDetailedDirectoryServiceReplication - - - - - 0 - This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Detailed Directory Service Replication - LastWrite - - - - DSAccess_AuditDirectoryServiceAccess - - - - - 0 - This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. - -Only AD DS objects with a matching system access control list (SACL) are logged. - -Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Directory Service Access - LastWrite - - - - DSAccess_AuditDirectoryServiceChanges - - - - - 0 - This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. - -When possible, events logged in this subcategory indicate the old and new values of the object’s properties. - -Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. - -Note: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. - -If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. -If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Directory Service Changes - LastWrite - - - - DSAccess_AuditDirectoryServiceReplication - - - - - 0 - This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. - -If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. -If you do not configure this policy setting, no audit event is generated during AD DS replication. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~DS Access - Audit Directory Service Replication - LastWrite - - - - ObjectAccess_AuditApplicationGenerated - - - - - 0 - This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. -Events in this subcategory include: - Creation of an application client context. - Deletion of an application client context. - Initialization of an application client context. - Other application operations using the Windows Auditing APIs. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Application Generated - LastWrite - - - - ObjectAccess_AuditCentralAccessPolicyStaging - - - - - 0 - This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. - -If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: -1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. -2) Failure audits when configured records access attempts when: - a) The current central access policy does not grant access but the proposed policy grants access. - b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. - -Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Central Access Policy Staging - LastWrite - - - - ObjectAccess_AuditCertificationServices - - - - - 0 - This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. -AD CS operations include the following: - AD CS startup/shutdown/backup/restore. - Changes to the certificate revocation list (CRL). - New certificate requests. - Issuing of a certificate. - Revocation of a certificate. - Changes to the Certificate Manager settings for AD CS. - Changes in the configuration of AD CS. - Changes to a Certificate Services template. - Importing of a certificate. - Publishing of a certification authority certificate is to Active Directory Domain Services. - Changes to the security permissions for AD CS. - Archival of a key. - Importing of a key. - Retrieval of a key. - Starting of Online Certificate Status Protocol (OCSP) Responder Service. - Stopping of Online Certificate Status Protocol (OCSP) Responder Service. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Certification Services - LastWrite - - - - ObjectAccess_AuditDetailedFileShare - - - - - 0 - This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Detailed File Share - LastWrite - - - - ObjectAccess_AuditFileShare - - - - - 0 - This policy setting allows you to audit attempts to access a shared folder. - -If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. - -Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit File Share - LastWrite - - - - ObjectAccess_AuditFileSystem - - - - - 0 - This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see https://go.microsoft.com/fwlink/?LinkId=122083. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. - -Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit File System - LastWrite - - - - ObjectAccess_AuditFilteringPlatformConnection - - - - - 0 - This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: - The Windows Firewall Service blocks an application from accepting incoming connections on the network. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits a bind to a local port. - The WFP blocks a bind to a local port. - The WFP allows a connection. - The WFP blocks a connection. - The WFP permits an application or service to listen on a port for incoming connections. - The WFP blocks an application or service to listen on a port for incoming connections. - -If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. -If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Filtering Platform Connection - LastWrite - - - - ObjectAccess_AuditFilteringPlatformPacketDrop - - - - - 0 - This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Filtering Platform Packet Drop - LastWrite - - - - ObjectAccess_AuditHandleManipulation - - - - - 0 - This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. - -If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a handle is manipulated. - -Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Handle Manipulation - LastWrite - - - - ObjectAccess_AuditKernelObject - - - - - 0 - This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. -Only kernel objects with a matching system access control list (SACL) generate security audit events. - -Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Kernel Object - LastWrite - - - - ObjectAccess_AuditOtherObjectAccessEvents - - - - - 0 - This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. -For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. -For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Other Object Access Events - LastWrite - - - - ObjectAccess_AuditRegistry - - - - - 0 - This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. - -If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. - -Note: You can set a SACL on a registry object using the Permissions dialog box. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Registry - LastWrite - - - - ObjectAccess_AuditRemovableStorage - - - - - 0 - This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. - -If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit Removable Storage - LastWrite - - - - ObjectAccess_AuditSAM - - - - - 0 - This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. -SAM objects include the following: - SAM_ALIAS -- A local group. - SAM_GROUP -- A group that is not a local group. - SAM_USER – A user account. - SAM_DOMAIN – A domain. - SAM_SERVER – A computer account. -If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. -Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified. -Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698). - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Object Access - Audit SAM - LastWrite - - - - PolicyChange_AuditAuthenticationPolicyChange - - - - - 1 - This policy setting allows you to audit events generated by changes to the authentication policy such as the following: - Creation of forest and domain trusts. - Modification of forest and domain trusts. - Removal of forest and domain trusts. - Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. - Granting of any of the following user rights to a user or group: - Access This Computer From the Network. - Allow Logon Locally. - Allow Logon Through Terminal Services. - Logon as a Batch Job. - Logon a Service. - Namespace collision. For example, when a new trust has the same name as an existing namespace name. - -If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. - -Note: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Authentication Policy Change - LastWrite - - - - PolicyChange_AuditAuthorizationPolicyChange - - - - - 0 - This policy setting allows you to audit events generated by changes to the authorization policy such as the following: - Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. - Changes in the Encrypted File System (EFS) policy. - Changes to the Resource attributes of an object. - Changes to the Central Access Policy (CAP) applied to an object. - -If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when the authorization policy changes. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Authorization Policy Change - LastWrite - - - - PolicyChange_AuditFilteringPlatformPolicyChange - - - - - 0 - This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: - IPsec services status. - Changes to IPsec policy settings. - Changes to Windows Firewall policy settings. - Changes to WFP providers and engine. - -If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Filtering Platform Policy Change - LastWrite - - - - PolicyChange_AuditMPSSVCRuleLevelPolicyChange - - - - - 0 - This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: - Reporting of active policies when Windows Firewall service starts. - Changes to Windows Firewall rules. - Changes to Windows Firewall exception list. - Changes to Windows Firewall settings. - Rules ignored or not applied by Windows Firewall Service. - Changes to Windows Firewall Group Policy settings. - -If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit MPSSVC Rule Level Policy Change - LastWrite - - - - PolicyChange_AuditOtherPolicyChangeEvents - - - - - 0 - This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. - Cryptographic context operations or modifications. - Applied Central Access Policies (CAPs) changes. - Boot Configuration Data (BCD) modifications. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Other Policy Change Events - LastWrite - - - - PolicyChange_AuditPolicyChange - - - - - 1 - This policy setting allows you to audit changes in the security audit policy settings such as the following: - Settings permissions and audit settings on the Audit Policy object. - Changes to the system audit policy. - Registration of security event sources. - De-registration of security event sources. - Changes to the per-user audit settings. - Changes to the value of CrashOnAuditFail. - Changes to the system access control list on a file system or registry object. - Changes to the Special Groups list. - -Note: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Policy Change - Audit Policy Change - LastWrite - - - - PrivilegeUse_AuditNonSensitivePrivilegeUse - - - - - 0 - This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). -The following privileges are non-sensitive: - Access Credential Manager as a trusted caller. - Access this computer from the network. - Add workstations to domain. - Adjust memory quotas for a process. - Allow log on locally. - Allow log on through Terminal Services. - Bypass traverse checking. - Change the system time. - Create a pagefile. - Create global objects. - - Create permanent shared objects. - Create symbolic links. - Deny access this computer from the network. - Deny log on as a batch job. - Deny log on as a service. - Deny log on locally. - Deny log on through Terminal Services. - Force shutdown from a remote system. - Increase a process working set. - Increase scheduling priority. - Lock pages in memory. - Log on as a batch job. - Log on as a service. - Modify an object label. - Perform volume maintenance tasks. - Profile single process. - Profile system performance. - Remove computer from docking station. - Shut down the system. - Synchronize directory service data. - -If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. -If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use - Audit Non Sensitive Privilege Use - LastWrite - - - - PrivilegeUse_AuditOtherPrivilegeUseEvents - - - - - 0 - Not used. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use - Audit Other Privilege Use Events - LastWrite - - - - PrivilegeUse_AuditSensitivePrivilegeUse - - - - - 0 - This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: - A privileged service is called. - One of the following privileges are called: - Act as part of the operating system. - Back up files and directories. - Create a token object. - Debug programs. - Enable computer and user accounts to be trusted for delegation. - Generate security audits. - Impersonate a client after authentication. - Load and unload device drivers. - Manage auditing and security log. - Modify firmware environment values. - Replace a process-level token. - Restore files and directories. - Take ownership of files or other objects. - -If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. -If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. - - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~Privilege Use - Audit Sensitive Privilege Use - LastWrite - - - - System_AuditIPsecDriver - - - - - 0 - This policy setting allows you to audit events generated by the IPsec filter driver such as the following: - Startup and shutdown of the IPsec services. - Network packets dropped due to integrity check failure. - Network packets dropped due to replay check failure. - Network packets dropped due to being in plaintext. - Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. - Inability to process IPsec filters. - -If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit IPsec Driver - LastWrite - - - - System_AuditOtherSystemEvents - - - - - 3 - This policy setting allows you to audit any of the following events: - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall Service. - Cryptography key file and migration operations. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit Other System Events - LastWrite - - - - System_AuditSecurityStateChange - - - - - 1 - This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: - Startup and shutdown of the computer. - Change of system time. - Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit Security State Change - LastWrite - - - - System_AuditSecuritySystemExtension - - - - - 0 - This policy setting allows you to audit events related to security system extensions or services such as the following: - A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. - A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. -If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit Security System Extension - LastWrite - - - - System_AuditSystemIntegrity - - - - - 3 - This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: - Events that could not be written to the event log because of a problem with the auditing system. - A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. - The detection of a Remote Procedure Call (RPC) that compromises system integrity. - The detection of a hash value of an executable file that is not valid as determined by Code Integrity. - Cryptographic operations that compromise system integrity. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Advanced Audit Policy Configuration~System Audit Policies~System - Audit System Integrity - LastWrite - - - - - Authentication - - - - - - - - - - - - - - - - - - - AllowAadPasswordReset - - - - - 0 - Specifies whether password reset is enabled for AAD accounts. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowFastReconnect - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSecondaryAuthenticationDevice - - - - - 0 - - - - - - - - - - - - text/plain - - - DeviceCredential.admx - DeviceCredential~AT~WindowsComponents~MSSecondaryAuthFactorCategory - MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice - LowestValueMostSecure - - - - ConfigureWebcamAccessDomainNames - - - - - - Specifies a list of domains that are allowed to access the webcam in CXH-based authentication scenarios. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - EnableFastFirstSignIn - - - - - 0 - Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableWebSignIn - - - - - 0 - Specifies whether web-based sign in is allowed for logging in to Windows - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - PreferredAadTenantDomainName - - - - - - Specifies the preferred domain among available domains in the AAD tenant. - - - - - - - - - - - text/plain - - LastWrite - - - - - Autoplay - - - - - - - - - - - - - - - - - - - DisallowAutoplayForNonVolumeDevices - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutoplayfornonVolume - LastWrite - - - - SetDefaultAutoRunBehavior - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - NoAutorun - LastWrite - - - - TurnOffAutoPlay - - - - - - - - - - - - - - - - - text/plain - - phone - AutoPlay.admx - AutoPlay~AT~WindowsComponents~AutoPlay - Autorun - LastWrite - - - - - Bitlocker - - - - - - - - - - - - - - - - - - - EncryptionMethod - - - - - 6 - - - - - - - - - - - - text/plain - - - LastWrite - - - - - BITS - - - - - - - - - - - - - - - - - - - BandwidthThrottlingEndTime - - - - - 17 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_BandwidthLimitSchedTo - Bits~AT~Network~BITS - BITS_MaxBandwidth - LastWrite - - - - BandwidthThrottlingStartTime - - - - - 8 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_BandwidthLimitSchedFrom - Bits~AT~Network~BITS - BITS_MaxBandwidth - LastWrite - - - - BandwidthThrottlingTransferRate - - - - - 1000 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_MaxTransferRateText - Bits~AT~Network~BITS - BITS_MaxBandwidth - LastWrite - - - - CostedNetworkBehaviorBackgroundPriority - - - - - 1 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_TransferPolicyNormalPriorityValue - Bits~AT~Network~BITS - BITS_SetTransferPolicyOnCostedNetwork - LastWrite - - - - CostedNetworkBehaviorForegroundPriority - - - - - 1 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_TransferPolicyForegroundPriorityValue - Bits~AT~Network~BITS - BITS_SetTransferPolicyOnCostedNetwork - LastWrite - - - - JobInactivityTimeout - - - - - 90 - - - - - - - - - - - - text/plain - - - Bits.admx - BITS_Job_Timeout_Time - Bits~AT~Network~BITS - BITS_Job_Timeout - LastWrite - - - - - Bluetooth - - - - - - - - - - - - - - - - - - - AllowAdvertising - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowDiscoverableMode - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowPrepairing - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowPromptedProximalConnections - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - LocalDeviceName - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - ServicesAllowedList - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - SetMinimumEncryptionKeySize - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - - Browser - - - - - - - - - - - - - - - - - - - AllowAddressBarDropdown - - - - - 1 - This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAddressBarDropdown - LowestValueMostSecure - - - - AllowAutofill - - - - - 0 - This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowAutofill - LowestValueMostSecure - - - - AllowBrowser - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowConfigurationUpdateForBooksLibrary - - - - - 1 - This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCookies - - - - - 2 - This setting lets you configure how your company deals with cookies. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - CookiesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - Cookies - LowestValueMostSecure - - - - AllowDeveloperTools - - - - - 1 - This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDeveloperTools - LowestValueMostSecure - - - - AllowDoNotTrack - - - - - 0 - This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowDoNotTrack - LowestValueMostSecure - - - - AllowExtensions - - - - - 1 - This setting lets you decide whether employees can load extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowExtensions - LowestValueMostSecure - - - - AllowFlash - - - - - 1 - This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlash - HighestValueMostSecure - - - - AllowFlashClickToRun - - - - - 1 - Configure the Adobe Flash Click-to-Run setting. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFlashClickToRun - HighestValueMostSecure - - - - AllowFullScreenMode - - - - - 1 - With this policy, you can specify whether to allow full-screen mode, which shows only the web content and hides the Microsoft Edge UI. - -If enabled or not configured, full-screen mode is available for use in Microsoft Edge. Your users and extensions must have the proper permissions. - -If disabled, full-screen mode is unavailable for use in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowFullScreenMode - LowestValueMostSecure - - - - AllowInPrivate - - - - - 1 - This setting lets you decide whether employees can browse using InPrivate website browsing. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowInPrivate - LowestValueMostSecure - - - - AllowMicrosoftCompatibilityList - - - - - 1 - This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. - -If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. - -If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowCVList - LowestValueMostSecure - - - - AllowPasswordManager - - - - - 1 - This setting lets you decide whether employees can save their passwords locally, using Password Manager. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPasswordManager - LowestValueMostSecure - - - - AllowPopups - - - - - 0 - This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPopups - LowestValueMostSecure - - - - AllowPrelaunch - - - - - 1 - Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrelaunch - LowestValueMostSecure - - - - AllowPrinting - - - - - 1 - With this policy, you can restrict whether printing web content in Microsoft Edge is allowed. - -If enabled, printing is allowed. - -If disabled, printing is not allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowPrinting - LowestValueMostSecure - - - - AllowSavingHistory - - - - - 1 - Microsoft Edge saves your user's browsing history, which is made up of info about the websites they visit, on their devices. - -If enabled or not configured, the browsing history is saved and visible in the History pane. - -If disabled, the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disabled, the previous browsing history remains visible in the History pane. This policy, when disabled, does not stop roaming of existing history or history coming from other roamed devices. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSavingHistory - LowestValueMostSecure - - - - AllowSearchEngineCustomization - - - - - 1 - Allow search engine customization for MDM enrolled devices. Users can change their default search engine. - -If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. -If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. - -This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchEngineCustomization - LowestValueMostSecure - - - - AllowSearchSuggestionsinAddressBar - - - - - 1 - This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSearchSuggestionsinAddressBar - LowestValueMostSecure - - - - AllowSideloadingOfExtensions - - - - - 1 - This setting lets you decide whether employees can sideload extensions in Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSideloadingOfExtensions - LowestValueMostSecure - - - - AllowSmartScreen - - - - - 1 - This setting lets you decide whether to turn on Windows Defender SmartScreen. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowSmartScreen - LowestValueMostSecure - - - - AllowTabPreloading - - - - - 1 - Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowTabPreloading - LowestValueMostSecure - - - - AllowWebContentOnNewTabPage - - - - - 1 - This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. - -If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. - -If you disable this setting, Microsoft Edge opens a new tab with a blank page. If you use this setting, employees can't change it. - -If you don't configure this setting, employees can choose how new tabs appears. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowWebContentOnNewTabPage - LowestValueMostSecure - - - - AlwaysEnableBooksLibrary - - - - - 0 - Specifies whether the Books Library in Microsoft Edge will always be visible regardless of the country or region setting for the device. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AlwaysEnableBooksLibrary - LowestValueMostSecure - - - - ClearBrowsingDataOnExit - - - - - 0 - Specifies whether to always clear browsing history on exiting Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - AllowClearingBrowsingDataOnExit - LowestValueMostSecure - - - - ConfigureAdditionalSearchEngines - - - - - - Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. - -If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfigureAdditionalSearchEngines_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureAdditionalSearchEngines - LastWrite - - - - ConfigureFavoritesBar - - - - - 0 - The favorites bar shows your user's links to sites they have added to it. With this policy, you can specify whether to set the favorites bar to always be visible or hidden on any page. - -If enabled, favorites bar is always visible on any page, and the favorites bar toggle in Settings sets to On, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. The show bar/hide bar option is hidden from the context menu. - -If disabled, the favorites bar is hidden, and the favorites bar toggle resets to Off, but disabled preventing your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings. - -If not configured, the favorites bar is hidden but is visible on the Start and New Tab pages, and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureFavoritesBar - LowestValueMostSecure - - - - ConfigureHomeButton - - - - - 0 - The Home button loads either the default Start page, the New tab page, or a URL defined in the Set Home Button URL policy. - -By default, this policy is disabled or not configured and clicking the home button loads the default Start page. - -When enabled, the home button is locked down preventing your users from making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings, enable the Unlock Home Button policy. - -If Enabled AND: -- Show home button & set to Start page is selected, clicking the home button loads the Start page. -- Show home button & set to New tab page is selected, clicking the home button loads a New tab page. -- Show home button & set a specific page is selected, clicking the home button loads the URL specified in the Set Home Button URL policy. -- Hide home button is selected, the home button is hidden in Microsoft Edge. - -Default setting: Disabled or not configured -Related policies: -- Set Home Button URL -- Unlock Home Button - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureHomeButtonDropdown - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureHomeButton - LastWrite - - - - ConfigureKioskMode - - - - - 0 - Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. - -You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise, these settings are ignored. To learn more about assigned access and kiosk configuration, see “Configure kiosk and shared devices running Windows desktop editions” (https://aka.ms/E489vw). - -If enabled and set to 0 (Default or not configured): -- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. -- If it’s one of many apps, Microsoft Edge runs as normal. -If enabled and set to 1: -- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. -- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskMode_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskMode - LastWrite - - - - ConfigureKioskResetAfterIdleTimeout - - - - - 5 - You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’s browsing data. - -If enabled, you can set the idle time in minutes (0-1440). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge resets after 30 seconds. - -If you set this policy to 0, Microsoft Edge does not use an idle timer. - -If disabled or not configured, the default value is 5 minutes. - -If you do not configure Microsoft Edge in assigned access, then this policy does not take effect. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureKioskResetAfterIdleTimeout_TextBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureKioskResetAfterIdleTimeout - LastWrite - - - - ConfigureOpenMicrosoftEdgeWith - - - - - 3 - You can configure Microsoft Edge to lock down the Start page, preventing users from changing or customizing it. - -If enabled, you can choose one of the following options: -- Start page: the Start page loads ignoring the Configure Start Pages policy. -- New tab page: the New tab page loads ignoring the Configure Start Pages policy. -- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy. -- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected, you must specify at least one URL in Configure Start Pages; otherwise, this policy is ignored. - -When enabled, and you want to make changes, you must first set the Disable Lockdown of Start Pages to not configured, make the changes to the Configure Open Edge With policy, and then enable the Disable Lockdown of Start Pages policy. - -If disabled or not configured, and you enable the Disable Lockdown of Start Pages policy, your users can change or customize the Start page. - -Default setting: A specific page or pages (default) -Related policies: --Disable Lockdown of Start Pages --Configure Start Pages - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - ConfigureOpenEdgeWithListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfigureOpenEdgeWith - LastWrite - - - - ConfigureTelemetryForMicrosoft365Analytics - - - - - 0 - Configures what browsing data will be sent to Microsoft 365 Analytics for devices belonging to an organization. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - ZonesListBox - MicrosoftEdge~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryForMicrosoft365Analytics - LowestValueMostSecure - - - - DisableLockdownOfStartPages - - - - - 0 - You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pages. To do this, you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When enabled, all configured start pages are editable. Any Start page configured using the Configure Start pages policy is not locked down allowing users to edit their Start pages. - -If disabled or not configured, the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Start Pages -- Configure Open Microsoft Edge With - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - DisableLockdownOfStartPagesListBox - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - DisableLockdownOfStartPages - LowestValueMostSecure - - - - EnableExtendedBooksTelemetry - - - - - 0 - This setting allows organizations to send extended telemetry on book usage from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnableExtendedBooksTelemetry - LowestValueMostSecure - - - - EnterpriseModeSiteList - - - - - - This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - EnterSiteListPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - EnterpriseModeSiteList - LastWrite - - - - EnterpriseSiteListServiceUrl - - - - - - - - - - - - - - - - - text/plain - - phone - LastWrite - - - - FirstRunURL - - - - - - Configure first run URL. - - - - - - - - - - - text/plain - - desktop - LastWrite - - - - HomePages - - - - - - When you enable the Configure Open Microsoft Edge With policy, you can configure one or more Start pages. When you enable this policy, users are not allowed to make changes to their Start pages. - -If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - - <support.contoso.com><support.microsoft.com> - -If disabled or not configured, the webpages specified in App settings loads as the default Start pages. - -Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. - -Version 1809: -If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. - -Supported devices: Domain-joined or MDM-enrolled -Related policy: -- Configure Open Microsoft Edge With -- Disable Lockdown of Start Pages - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - HomePagesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HomePages - LastWrite - - - - LockdownFavorites - - - - - 0 - This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. - -If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - LockdownFavorites - LowestValueMostSecure - - - - PreventAccessToAboutFlagsInMicrosoftEdge - - - - - 0 - Prevent access to the about:flags page in Microsoft Edge. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventAccessToAboutFlagsInMicrosoftEdge - HighestValueMostSecure - - - - PreventCertErrorOverrides - - - - - 0 - Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. - -If enabled, overriding certificate errors are not allowed. - -If disabled or not configured, overriding certificate errors are allowed. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventCertErrorOverrides - HighestValueMostSecure - - - - PreventFirstRunPage - - - - - 0 - Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventFirstRunPage - HighestValueMostSecure - - - - PreventLiveTileDataCollection - - - - - 0 - This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventLiveTileDataCollection - HighestValueMostSecure - - - - PreventSmartScreenPromptOverride - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverride - HighestValueMostSecure - - - - PreventSmartScreenPromptOverrideForFiles - - - - - 0 - Don't allow Windows Defender SmartScreen warning overrides for unverified files. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventSmartScreenPromptOverrideForFiles - HighestValueMostSecure - - - - PreventTurningOffRequiredExtensions - - - - - - You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. - -When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. - -When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. - -If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. - -If disabled or not configured, extensions defined as part of this policy get ignored. - -Default setting: Disabled or not configured -Related policies: Allow Developer Tools -Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - PreventTurningOffRequiredExtensions_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - PreventTurningOffRequiredExtensions - LastWrite - - - - PreventUsingLocalHostIPAddressForWebRTC - - - - - 0 - Prevent using localhost IP address for WebRTC - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - HideLocalHostIPAddress - HighestValueMostSecure - - - - ProvisionFavorites - - - - - - This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. - -If you enable this setting, you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorites will appear after these provisioned favorites. - -Important -Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge. - -If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - ConfiguredFavoritesPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ConfiguredFavorites - LastWrite - - - - SendIntranetTraffictoInternetExplorer - - - - - 0 - Sends all intranet traffic over to Internet Explorer. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SendIntranetTraffictoInternetExplorer - HighestValueMostSecure - - - - SetDefaultSearchEngine - - - - - - Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. - -If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. - -If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. - - - - - - - - - - - text/plain - - MicrosoftEdge.admx - SetDefaultSearchEngine_Prompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetDefaultSearchEngine - LastWrite - - - - SetHomeButtonURL - - - - - - The home button can be configured to load a custom URL when your user clicks the home button. - -If enabled, or configured, and the Configure Home Button policy is enabled, and the Show home button & set a specific page is selected, a custom URL loads when your user clicks the home button. - -Default setting: Blank or not configured -Related policy: Configure Home Button - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetHomeButtonURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetHomeButtonURL - LastWrite - - - - SetNewTabPageURL - - - - - - You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled, Microsoft Edge ignores the URL specified in this policy and opens about:blank. - -If enabled, you can set the default New Tab page URL. - -If disabled or not configured, the default Microsoft Edge new tab page is used. - -Default setting: Disabled or not configured -Related policy: Allow web content on New Tab page - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - SetNewTabPageURLPrompt - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SetNewTabPageURL - LastWrite - - - - ShowMessageWhenOpeningSitesInInternetExplorer - - - - - 0 - You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification before the site opens. If you want to display a notification, you must enable Configure the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both. - -If enabled, the notification appears on a new page. If you want users to continue in Microsoft Edge, select the Show Keep going in Microsoft Edge option from the drop-down list under Options. - -If disabled or not configured, the default app behavior occurs and no additional page displays. - -Default setting: Disabled or not configured -Related policies: --Configure the Enterprise Mode Site List --Send all intranet sites to Internet Explorer 11 - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ShowMessageWhenOpeningSitesInInternetExplorer - HighestValueMostSecure - - - - SyncFavoritesBetweenIEAndMicrosoftEdge - - - - - 0 - Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - SyncFavoritesBetweenIEAndMicrosoftEdge - LowestValueMostSecure - - - - UnlockHomeButton - - - - - 0 - By default, when enabling Configure Home Button or Set Home Button URL, the home button is locked down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the home button even when Configure Home Button or Set Home Button URL are enabled. - -If enabled, the UI settings for the home button are enabled allowing your users to make changes, including hiding and showing the home button as well as configuring a custom URL. - -If disabled or not configured, the UI settings for the home button are disabled preventing your users from making changes. - -Default setting: Disabled or not configured -Related policy: --Configure Home Button --Set Home Button URL - - - - - - - - - - - text/plain - - - phone - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UnlockHomeButton - LowestValueMostSecure - - - - UseSharedFolderForBooks - - - - - 0 - This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. - - - - - - - - - - - text/plain - - - MicrosoftEdge.admx - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - UseSharedFolderForBooks - LowestValueMostSecure - - - - - Camera - - - - - - - - - - - - - - - - - - - AllowCamera - - - - - 1 - - - - - - - - - - - - text/plain - - - Camera.admx - Camera~AT~WindowsComponents~L_Camera_GroupPolicyCategory - L_AllowCamera - LowestValueMostSecure - - - - - Cellular - - - - - - - - - - - - - - - - - - - LetAppsAccessCellularData - - - - - 0 - This policy setting specifies whether Windows apps can access cellular data. - - - - - - - - - - - text/plain - - - wwansvc.admx - LetAppsAccessCellularData_Enum - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - HighestValueMostSecure - - - - LetAppsAccessCellularData_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - wwansvc.admx - LetAppsAccessCellularData_ForceAllowTheseApps_List - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - LastWrite - ; - - - - LetAppsAccessCellularData_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - wwansvc.admx - LetAppsAccessCellularData_ForceDenyTheseApps_List - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - LastWrite - ; - - - - LetAppsAccessCellularData_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. - - - - - - - - - - - text/plain - - wwansvc.admx - LetAppsAccessCellularData_UserInControlOfTheseApps_List - wwansvc~AT~Network~WwanSvc_Category~CellularDataAccess - LetAppsAccessCellularData - LastWrite - ; - - - - ShowAppCellularAccessUI - - - - - - - - - - - - - - - - - text/plain - - wwansvc.admx - wwansvc~AT~Network~WwanSvc_Category~UISettings_Category - ShowAppCellularAccessUI - LastWrite - - - - - Connectivity - - - - - - - - - - - - - - - - - - - AllowBluetooth - - - - - 2 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCellularData - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCellularDataRoaming - - - - - 1 - - - - - - - - - - - - text/plain - - - WCM.admx - WCM~AT~Network~WCM_Category - WCM_DisableRoaming - LowestValueMostSecure - - - - AllowConnectedDevices - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowNFC - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowPhonePCLinking - - - - - 1 - - - - - - - - - - - - text/plain - - - grouppolicy.admx - grouppolicy~AT~System~PolicyPolicies - enableMMX - LowestValueMostSecure - - - - AllowUSBConnection - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowVPNOverCellular - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowVPNRoamingOverCellular - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - DiablePrintingOverHTTP - - - - - - - - - - - - - - - - - text/plain - - phone - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - DisableHTTPPrinting_2 - LastWrite - - - - DisableDownloadingOfPrintDriversOverHTTP - - - - - - - - - - - - - - - - - text/plain - - phone - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - DisableWebPnPDownload_2 - LastWrite - - - - DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards - - - - - - - - - - - - - - - - - text/plain - - phone - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - ShellPreventWPWDownload_2 - LastWrite - - - - DisallowNetworkConnectivityActiveTests - - - - - 0 - - - - - - - - - - - - text/plain - - - ICM.admx - ICM~AT~System~InternetManagement~InternetManagement_Settings - NoActiveProbe - HighestValueMostSecure - - - - HardenedUNCPaths - - - - - - - - - - - - - - - - - text/plain - - phone - networkprovider.admx - NetworkProvider~AT~Network~Cat_NetworkProvider - Pol_HardenedPaths - LastWrite - - - - ProhibitInstallationAndConfigurationOfNetworkBridge - - - - - - - - - - - - - - - - - text/plain - - phone - NetworkConnections.admx - NetworkConnections~AT~Network~NetworkConnections - NC_AllowNetBridge_NLA - LastWrite - - - - - ControlPolicyConflict - - - - - - - - - - - - - - - - - - - MDMWinsOverGP - - - - - 0 - If set to 1 then any MDM policy that is set that has an equivalent GP policy will result in GP service blocking the setting of the policy by GP MMC. Setting the value to 0 (zero) or deleting the policy will remove the GP policy blocks restore the saved GP policies. - - - - - - - - - - - text/plain - - - LastWrite - - - - - CredentialProviders - - - - - - - - - - - - - - - - - - - AllowPINLogon - - - - - - - - - - - - - - - - - text/plain - - phone - credentialproviders.admx - CredentialProviders~AT~System~Logon - AllowDomainPINLogon - LastWrite - - - - BlockPicturePassword - - - - - - - - - - - - - - - - - text/plain - - phone - credentialproviders.admx - CredentialProviders~AT~System~Logon - BlockDomainPicturePassword - LastWrite - - - - DisableAutomaticReDeploymentCredentials - - - - - 1 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - CredentialsDelegation - - - - - - - - - - - - - - - - - - - RemoteHostAllowsDelegationOfNonExportableCredentials - - - - - - - - - - - - - - - - - text/plain - - phone - CredSsp.admx - CredSsp~AT~System~CredentialsDelegation - AllowProtectedCreds - LastWrite - - - - - CredentialsUI - - - - - - - - - - - - - - - - - - - DisablePasswordReveal - - - - - - - - - - - - - - - - - text/plain - - phone - credui.admx - CredUI~AT~WindowsComponents~CredUI - DisablePasswordReveal - LastWrite - - - - EnumerateAdministrators - - - - - - - - - - - - - - - - - text/plain - - phone - credui.admx - CredUI~AT~WindowsComponents~CredUI - EnumerateAdministrators - LastWrite - - - - - Cryptography - - - - - - - - - - - - - - - - - - - AllowFipsAlgorithmPolicy - - - - - 0 - - - - - - - - - - - - text/plain - - - Windows Settings~Security Settings~Local Policies~Security Options - System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing - LastWrite - - - - TLSCipherSuites - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - DataProtection - - - - - - - - - - - - - - - - - - - AllowDirectMemoryAccess - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - LegacySelectiveWipeID - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - DataUsage - - - - - - - - - - - - - - - - - - - SetCost3G - - - - - - - - - - - - - - - - - text/plain - - wwansvc.admx - wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category - SetCost3G - LastWrite - - - - SetCost4G - - - - - - - - - - - - - - - - - text/plain - - wwansvc.admx - wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category - SetCost4G - LastWrite - - - - - Defender - - - - - - - - - - - - - - - - - - - AllowArchiveScanning - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableArchiveScanning - HighestValueMostSecure - - - - AllowBehaviorMonitoring - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_DisableBehaviorMonitoring - HighestValueMostSecure - - - - AllowCloudProtection - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - SpynetReporting - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet - SpynetReporting - HighestValueMostSecure - - - - AllowEmailScanning - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableEmailScanning - HighestValueMostSecure - - - - AllowFullScanOnMappedNetworkDrives - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableScanningMappedNetworkDrivesForFullScan - HighestValueMostSecure - - - - AllowFullScanRemovableDriveScanning - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableRemovableDriveScanning - HighestValueMostSecure - - - - AllowIntrusionPreventionSystem - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - AllowIOAVProtection - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_DisableIOAVProtection - HighestValueMostSecure - - - - AllowOnAccessProtection - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_DisableOnAccessProtection - HighestValueMostSecure - - - - AllowRealtimeMonitoring - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - DisableRealtimeMonitoring - HighestValueMostSecure - - - - AllowScanningNetworkFiles - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableScanningNetworkFiles - HighestValueMostSecure - - - - AllowScriptScanning - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - AllowUserUIAccess - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ClientInterface - UX_Configuration_UILockdown - LastWrite - - - - AttackSurfaceReductionOnlyExclusions - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ASR_ASROnlyExclusions - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR - ExploitGuard_ASR_ASROnlyExclusions - LastWrite - - - - AttackSurfaceReductionRules - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ASR_Rules - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ASR - ExploitGuard_ASR_Rules - LastWrite - - - - AvgCPULoadFactor - - - - - 50 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_AvgCPULoadFactor - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_AvgCPULoadFactor - LastWrite - - - - CheckForSignaturesBeforeRunningScan - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - CheckForSignaturesBeforeRunningScan - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - CheckForSignaturesBeforeRunningScan - HighestValueMostSecure - - - - CloudBlockLevel - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - MpCloudBlockLevel - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine - MpEngine_MpCloudBlockLevel - LastWrite - - - - CloudExtendedTimeout - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - MpBafsExtendedTimeout - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~MpEngine - MpEngine_MpBafsExtendedTimeout - LastWrite - - - - ControlledFolderAccessAllowedApplications - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ControlledFolderAccess_AllowedApplications - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess - ExploitGuard_ControlledFolderAccess_AllowedApplications - LastWrite - - - - ControlledFolderAccessProtectedFolders - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - ExploitGuard_ControlledFolderAccess_ProtectedFolders - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess - ExploitGuard_ControlledFolderAccess_ProtectedFolders - LastWrite - - - - DaysToRetainCleanedMalware - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Quarantine_PurgeItemsAfterDelay - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Quarantine - Quarantine_PurgeItemsAfterDelay - LastWrite - - - - DisableCatchupFullScan - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_DisableCatchupFullScan - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableCatchupFullScan - LastWrite - - - - DisableCatchupQuickScan - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_DisableCatchupQuickScan - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_DisableCatchupQuickScan - LastWrite - - - - EnableControlledFolderAccess - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_ControlledFolderAccess - ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - LastWrite - - - - EnableLowCPUPriority - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_LowCpuPriority - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_LowCpuPriority - LastWrite - - - - EnableNetworkProtection - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - ExploitGuard_EnableNetworkProtection - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~ExploitGuard~ExploitGuard_NetworkProtection - ExploitGuard_EnableNetworkProtection - LastWrite - - - - ExcludedExtensions - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Exclusions_PathsList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions - Exclusions_Paths - LastWrite - - - - ExcludedPaths - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Exclusions_ExtensionsList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions - Exclusions_Extensions - LastWrite - - - - ExcludedProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Exclusions_ProcessesList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Exclusions - Exclusions_Processes - LastWrite - - - - PUAProtection - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Root_PUAProtection - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender - Root_PUAProtection - LastWrite - - - - RealTimeScanDirection - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - RealtimeProtection_RealtimeScanDirection - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~RealtimeProtection - RealtimeProtection_RealtimeScanDirection - LowestValueMostSecure - - - - ScanParameter - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScanParameters - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScanParameters - LastWrite - - - - ScheduleQuickScanTime - - - - - 120 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScheduleQuickScantime - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScheduleQuickScantime - LastWrite - - - - ScheduleScanDay - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScheduleDay - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScheduleDay - LastWrite - - - - ScheduleScanTime - - - - - 120 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - Scan_ScheduleTime - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Scan - Scan_ScheduleTime - LastWrite - - - - SecurityIntelligenceLocation - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - SignatureUpdate_SharedSignaturesLocation - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_SharedSignaturesLocation - LastWrite - - - - SignatureUpdateFallbackOrder - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - SignatureUpdate_FallbackOrder - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_FallbackOrder - LastWrite - - - - SignatureUpdateFileSharesSources - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - SignatureUpdate_DefinitionUpdateFileSharesSources - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_DefinitionUpdateFileSharesSources - LastWrite - - - - SignatureUpdateInterval - - - - - 8 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - SignatureUpdate_SignatureUpdateInterval - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~SignatureUpdate - SignatureUpdate_SignatureUpdateInterval - LastWrite - - - - SubmitSamplesConsent - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsDefender.admx - SubmitSamplesConsent - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Spynet - SubmitSamplesConsent - HighestValueMostSecure - - - - ThreatSeverityDefaultAction - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefender.admx - Threats_ThreatSeverityDefaultActionList - WindowsDefender~AT~WindowsComponents~AntiSpywareDefender~Threats - Threats_ThreatSeverityDefaultAction - LastWrite - - - - - DeliveryOptimization - - - - - - - - - - - - - - - - - - - DOAbsoluteMaxCacheSize - - - - - 10 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - AbsoluteMaxCacheSize - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - AbsoluteMaxCacheSize - LastWrite - - - - DOAllowVPNPeerCaching - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - AllowVPNPeerCaching - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - AllowVPNPeerCaching - LowestValueMostSecure - - - - DOCacheHost - - - - - - - - - - - - - - - - - text/plain - - DeliveryOptimization.admx - CacheHost - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - CacheHost - LastWrite - - - - DOCacheHostSource - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - CacheHostSource - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - CacheHostSource - LastWrite - - - - DODelayBackgroundDownloadFromHttp - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayBackgroundDownloadFromHttp - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayBackgroundDownloadFromHttp - LastWrite - - - - DODelayCacheServerFallbackBackground - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayCacheServerFallbackBackground - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayCacheServerFallbackBackground - LastWrite - - - - DODelayCacheServerFallbackForeground - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayCacheServerFallbackForeground - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayCacheServerFallbackForeground - LastWrite - - - - DODelayForegroundDownloadFromHttp - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DelayForegroundDownloadFromHttp - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DelayForegroundDownloadFromHttp - LastWrite - - - - DODownloadMode - - - - - 1 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - DownloadMode - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - DownloadMode - LastWrite - - - - DOGroupId - - - - - - - - - - - - - - - - - text/plain - - DeliveryOptimization.admx - GroupId - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - GroupId - LastWrite - - - - DOGroupIdSource - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - GroupIdSource - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - GroupIdSource - LastWrite - - - - DOMaxBackgroundDownloadBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxBackgroundDownloadBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxBackgroundDownloadBandwidth - LastWrite - - - - DOMaxCacheAge - - - - - 259200 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxCacheAge - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxCacheAge - LastWrite - - - - DOMaxCacheSize - - - - - 20 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxCacheSize - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxCacheSize - LastWrite - - - - DOMaxForegroundDownloadBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MaxForegroundDownloadBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MaxForegroundDownloadBandwidth - LastWrite - - - - DOMinBackgroundQos - - - - - 500 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinBackgroundQos - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinBackgroundQos - LastWrite - - - - DOMinBatteryPercentageAllowedToUpload - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinBatteryPercentageAllowedToUpload - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinBatteryPercentageAllowedToUpload - LastWrite - - - - DOMinDiskSizeAllowedToPeer - - - - - 32 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinDiskSizeAllowedToPeer - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinDiskSizeAllowedToPeer - LastWrite - - - - DOMinFileSizeToCache - - - - - 100 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinFileSizeToCache - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinFileSizeToCache - LastWrite - - - - DOMinRAMAllowedToPeer - - - - - 4 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MinRAMAllowedToPeer - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MinRAMAllowedToPeer - LastWrite - - - - DOModifyCacheDrive - - - - - %SystemDrive% - - - - - - - - - - - - text/plain - - DeliveryOptimization.admx - ModifyCacheDrive - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - ModifyCacheDrive - LastWrite - - - - DOMonthlyUploadDataCap - - - - - 20 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - MonthlyUploadDataCap - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - MonthlyUploadDataCap - LastWrite - - - - DOPercentageMaxBackgroundBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - PercentageMaxBackgroundBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - PercentageMaxBackgroundBandwidth - LastWrite - - - - DOPercentageMaxForegroundBandwidth - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - PercentageMaxForegroundBandwidth - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - PercentageMaxForegroundBandwidth - LastWrite - - - - DORestrictPeerSelectionBy - - - - - 0 - - - - - - - - - - - - text/plain - - - DeliveryOptimization.admx - RestrictPeerSelectionBy - DeliveryOptimization~AT~WindowsComponents~DeliveryOptimizationCat - RestrictPeerSelectionBy - LastWrite - - - - DOSetHoursToLimitBackgroundDownloadBandwidth - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - DOSetHoursToLimitForegroundDownloadBandwidth - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - DeviceGuard - - - - - - - - - - - - - - - - - - - ConfigureSystemGuardLaunch - - - - - 0 - Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - SystemGuardDrop - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - LowestValueMostSecureZeroHasNoLimits - - - - EnableVirtualizationBasedSecurity - - - - - 0 - Turns On Virtualization Based Security(VBS) - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - HighestValueMostSecure - - - - LsaCfgFlags - - - - - 0 - Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - CredentialIsolationDrop - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - LowestValueMostSecureZeroHasNoLimits - - - - RequirePlatformSecurityFeatures - - - - - 1 - Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. - - - - - - - - - - - text/plain - - - phone - DeviceGuard.admx - RequirePlatformSecurityFeaturesDrop - DeviceGuard~AT~System~DeviceGuardCategory - VirtualizationBasedSecurity - HighestValueMostSecure - - - - - DeviceHealthMonitoring - - - - - - - - - - - - - - - - - - - AllowDeviceHealthMonitoring - - - - - 0 - Enable/disable 4Nines device health monitoring on devices. - - - - - - - - - - - text/plain - - - LastWrite - - - - ConfigDeviceHealthMonitoringScope - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored. - - - - - - - - - - - text/plain - - LastWrite - - - - ConfigDeviceHealthMonitoringUploadDestination - - - - - - If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded. - - - - - - - - - - - text/plain - - LastWrite - - - - - DeviceInstallation - - - - - - - - - - - - - - - - - - - AllowInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_IDs_Allow - LastWrite - - - - AllowInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Instance_IDs_Allow - LastWrite - - - - AllowInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Classes_Allow - LastWrite - - - - PreventDeviceMetadataFromNetwork - - - - - - - - - - - - - - - - - text/plain - - phone - DeviceSetup.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceMetadata_PreventDeviceMetadataFromNetwork - LastWrite - - - - PreventInstallationOfDevicesNotDescribedByOtherPolicySettings - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Unspecified_Deny - LastWrite - - - - PreventInstallationOfMatchingDeviceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_IDs_Deny - LastWrite - - - - PreventInstallationOfMatchingDeviceInstanceIDs - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Instance_IDs_Deny - LastWrite - - - - PreventInstallationOfMatchingDeviceSetupClasses - - - - - - - - - - - - - - - - - text/plain - - phone - deviceinstallation.admx - DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category - DeviceInstall_Classes_Deny - LastWrite - - - - - DeviceLock - - - - - - - - - - - - - - - - - - - AllowIdleReturnWithoutPassword - - - - - 1 - Specifies whether the user must input a PIN or password when the device resumes from an idle state. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowSimpleDevicePassword - - - - - 1 - Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AlphanumericDevicePasswordRequired - - - - - 2 - Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - DevicePasswordEnabled - - - - - 1 - Specifies whether device lock is enabled. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - DevicePasswordExpiration - - - - - 0 - Specifies when the password expires (in days). - - - - - - - - - - - text/plain - - - LowestValueMostSecureZeroHasNoLimits - - - - DevicePasswordHistory - - - - - 0 - Specifies how many passwords can be stored in the history that can’t be used. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - EnforceLockScreenAndLogonImage - - - - - - - - - - - - - - - - - text/plain - - phone - LastWrite - - - - EnforceLockScreenProvider - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - MaxDevicePasswordFailedAttempts - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecureZeroHasNoLimits - - - - MaxInactivityTimeDeviceLock - - - - - 0 - The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. - - - - - - - - - - - text/plain - - - LowestValueMostSecureZeroHasNoLimits - - - - MaxInactivityTimeDeviceLockWithExternalDisplay - - - - - 0 - Sets the maximum timeout value for the external display. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - MinDevicePasswordComplexCharacters - - - - - 1 - The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - MinDevicePasswordLength - - - - - 4 - Specifies the minimum number or characters required in the PIN or password. - - - - - - - - - - - text/plain - - - HighestValueMostSecureZeroHasNoLimits - - - - MinimumPasswordAge - - - - - 1 - This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. - -The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. - -Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Account Policies~Password Policy - Minimum password age - HighestValueMostSecure - - - - PreventEnablingLockScreenCamera - - - - - - - - - - - - - - - - - text/plain - - phone - ControlPanelDisplay.admx - ControlPanelDisplay~AT~ControlPanel~Personalization - CPL_Personalization_NoLockScreenCamera - LastWrite - - - - PreventLockScreenSlideShow - - - - - - - - - - - - - - - - - text/plain - - phone - ControlPanelDisplay.admx - ControlPanelDisplay~AT~ControlPanel~Personalization - CPL_Personalization_NoLockScreenSlideshow - LastWrite - - - - Display - - - - - - - - - - - - - - - - - - - DisablePerProcessDpiForApps - - - - - - This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayDisablePerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LastWrite - - - - EnablePerProcessDpi - - - - - - Enable or disable Per-Process System DPI for all applications. - - - - - - - - - - - text/plain - - - phone - Display.admx - DisplayGlobalPerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LowestValueMostSecure - - - - EnablePerProcessDpiForApps - - - - - - This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayEnablePerProcessSystemDpiSettings - Display~AT~System~DisplayCat - DisplayPerProcessSystemDpiSettings - LastWrite - - - - TurnOffGdiDPIScalingForApps - - - - - - This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayTurnOffGdiDPIScalingPrompt - Display~AT~System~DisplayCat - DisplayTurnOffGdiDPIScaling - LastWrite - - - - TurnOnGdiDPIScalingForApps - - - - - - This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. - - - - - - - - - - - text/plain - - phone - Display.admx - DisplayTurnOnGdiDPIScalingPrompt - Display~AT~System~DisplayCat - DisplayTurnOnGdiDPIScaling - LastWrite - - - - - DmaGuard - - - - - - - - - - - - - - - - - - - DeviceEnumerationPolicy - - - - - 1 - - - - - - - - - - - - text/plain - - - dmaguard.admx - dmaguard~AT~System~DmaGuard - DmaGuardEnumerationPolicy - LowestValueMostSecure - - - - - ErrorReporting - - - - - - - - - - - - - - - - - - - CustomizeConsentSettings - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerConsentCustomize_2 - LastWrite - - - - DisableWindowsErrorReporting - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerDisable_2 - LastWrite - - - - DisplayErrorNotification - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - PCH_ShowUI - LastWrite - - - - DoNotSendAdditionalData - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerNoSecondLevelData_2 - LastWrite - - - - PreventCriticalErrorDisplay - - - - - - - - - - - - - - - - - text/plain - - phone - ErrorReporting.admx - ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting - WerDoNotShowUI - LastWrite - - - - - EventLogService - - - - - - - - - - - - - - - - - - - ControlEventLogBehavior - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application - Channel_Log_Retention_1 - LastWrite - - - - SpecifyMaximumFileSizeApplicationLog - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application - Channel_LogMaxSize_1 - LastWrite - - - - SpecifyMaximumFileSizeSecurityLog - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Security - Channel_LogMaxSize_2 - LastWrite - - - - SpecifyMaximumFileSizeSystemLog - - - - - - - - - - - - - - - - - text/plain - - phone - eventlog.admx - EventLog~AT~WindowsComponents~EventLogCategory~EventLog_System - Channel_LogMaxSize_4 - LastWrite - - - - - Experience - - - - - - - - - - - - - - - - - - - AllowClipboardHistory - - - - - 1 - Allows history of clipboard items to be stored in memory. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - AllowClipboardHistory - LowestValueMostSecure - - - - AllowCopyPaste - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowCortana - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowCortana - LowestValueMostSecure - - - - AllowDeviceDiscovery - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowFindMyDevice - - - - - 1 - - - - - - - - - - - - text/plain - - - FindMy.admx - FindMy~AT~WindowsComponents~FindMyDeviceCat - FindMy_AllowFindMyDeviceConfig - LowestValueMostSecure - - - - AllowManualMDMUnenrollment - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSaveAsOfOfficeFiles - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowScreenCapture - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSharingOfOfficeFiles - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowSIMErrorDialogPromptWhenNoSIM - - - - - 1 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - AllowSyncMySettings - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowTaskSwitcher - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowVoiceRecording - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowWindowsConsumerFeatures - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableWindowsConsumerFeatures - LowestValueMostSecure - - - - AllowWindowsTips - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableSoftLanding - LowestValueMostSecure - - - - DisableCloudOptimizedContent - - - - - 0 - This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. - - - - - - - - - - - text/plain - - - CloudContent.admx - CloudContent~AT~WindowsComponents~CloudContent - DisableCloudOptimizedContent - HighestValueMostSecure - - - - DoNotShowFeedbackNotifications - - - - - 0 - - - - - - - - - - - - text/plain - - - FeedbackNotifications.admx - FeedbackNotifications~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DoNotShowFeedbackNotifications - HighestValueMostSecure - - - - DoNotSyncBrowserSettings - - - - - 0 - You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. - Related policy: PreventUsersFromTurningOnBrowserSyncing - 0 (default) = allow syncing, 2 = disable syncing - - - - - - - - - - - text/plain - - - SettingSync.admx - SettingSync~AT~WindowsComponents~SettingSync - DisableWebBrowserSettingSync - HighestValueMostSecure - - - - PreventUsersFromTurningOnBrowserSyncing - - - - - 1 - You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSettings - 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing - - - - - - - - - - - text/plain - - - SettingSync.admx - CheckBox_UserOverride - SettingSync~AT~WindowsComponents~SettingSync - DisableWebBrowserSettingSync - HighestValueMostSecure - - - - ShowLockOnUserTile - - - - - 1 - Shows or hides lock from the user tile menu. -If you enable this policy setting, the lock option will be shown in the User Tile menu. - -If you disable this policy setting, the lock option will never be shown in the User Tile menu. - -If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel. - - - - - - - - - - - text/plain - - - WindowsExplorer.admx - WindowsExplorer~AT~WindowsExplorer - ShowLockOption - HighestValueMostSecure - - - - - ExploitGuard - - - - - - - - - - - - - - - - - - - ExploitProtectionSettings - - - - - - - - - - - - - - - - - text/plain - - ExploitGuard.admx - ExploitProtection_Name - ExploitGuard~AT~WindowsComponents~WindowsDefenderExploitGuard~ExploitProtection - ExploitProtection_Name - LastWrite - - - - - FactoryComposer - - - - - - - - - - - - - - - - - - - BackgroundImagePath - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - OEMVersion - - - - - unset; partners can set via settings customization! - - - - - - - - - - - - text/plain - - LastWrite - - - - UserToSignIn - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - UWPLaunchOnBoot - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - - FileExplorer - - - - - - - - - - - - - - - - - - - TurnOffDataExecutionPreventionForExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - Explorer.admx - Explorer~AT~WindowsExplorer - NoDataExecutionPrevention - LastWrite - - - - TurnOffHeapTerminationOnCorruption - - - - - - - - - - - - - - - - - text/plain - - phone - Explorer.admx - Explorer~AT~WindowsExplorer - NoHeapTerminationOnCorruption - LastWrite - - - - - Games - - - - - - - - - - - - - - - - - - - AllowAdvancedGamingServices - - - - - 1 - Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - - Handwriting - - - - - - - - - - - - - - - - - - - PanelDefaultModeDocked - - - - - 0 - Specifies whether the handwriting panel comes up floating near the text box or attached to the bottom of the screen - - - - - - - - - - - text/plain - - - phone - Handwriting.admx - Handwriting~AT~WindowsComponents~Handwriting - PanelDefaultModeDocked - LowestValueMostSecure - - - - - InternetExplorer - - - - - - - - - - - - - - - - - - - AddSearchProvider - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddSearchProvider - LastWrite - - - - AllowActiveXFiltering - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - TurnOnActiveXFiltering - LastWrite - - - - AllowAddOnList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - AddonManagement_AddOnList - LastWrite - - - - AllowCertificateAddressMismatchWarning - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyWarnCertMismatch - LastWrite - - - - AllowDeletingBrowsingHistoryOnExit - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteOnExit - LastWrite - - - - AllowEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode - LastWrite - - - - AllowEnhancedSuggestionsInAddressBar - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AllowServicePoweredQSA - LastWrite - - - - AllowEnterpriseModeFromToolsMenu - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeEnable - LastWrite - - - - AllowEnterpriseModeSiteList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnterpriseModeSiteList - LastWrite - - - - AllowFallbackToSSL3 - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures - Advanced_EnableSSL3Fallback - LastWrite - - - - AllowInternetExplorer7PolicyList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_UsePolicyList - LastWrite - - - - AllowInternetExplorerStandardsMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_IntranetSites - LastWrite - - - - AllowInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneTemplate - LastWrite - - - - AllowIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneTemplate - LastWrite - - - - AllowLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneTemplate - LastWrite - - - - AllowLockedDownInternetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyInternetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownIntranetZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyIntranetZoneLockdownTemplate - LastWrite - - - - AllowLockedDownLocalMachineZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyLocalMachineZoneLockdownTemplate - LastWrite - - - - AllowLockedDownRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneLockdownTemplate - LastWrite - - - - AllowOneWordEntry - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing - UseIntranetSiteForOneWordEntry - LastWrite - - - - AllowSiteToZoneAssignmentList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_Zonemaps - LastWrite - - - - AllowsLockedDownTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneLockdownTemplate - LastWrite - - - - AllowSoftwareWhenSignatureIsInvalid - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_InvalidSignatureBlock - LastWrite - - - - AllowsRestrictedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyRestrictedSitesZoneTemplate - LastWrite - - - - AllowSuggestedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - EnableSuggestedSites - LastWrite - - - - AllowTrustedSitesZoneTemplate - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_PolicyTrustedSitesZoneTemplate - LastWrite - - - - CheckServerCertificateRevocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_CertificateRevocation - LastWrite - - - - CheckSignaturesOnDownloadedPrograms - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DownloadSignatures - LastWrite - - - - ConsistentMimeHandlingInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryConsistentMimeHandling - IESF_PolicyExplorerProcesses_5 - LastWrite - - - - DisableAdobeFlash - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - DisableFlashInIE - LastWrite - - - - DisableBypassOfSmartScreenWarnings - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverride - LastWrite - - - - DisableBypassOfSmartScreenWarningsAboutUncommonFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisableSafetyFilterOverrideForAppRepUnknown - LastWrite - - - - DisableCompatView - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView - CompatView_DisableList - LastWrite - - - - DisableConfiguringHistory - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - RestrictHistory - LastWrite - - - - DisableCrashDetection - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - AddonManagement_RestrictCrashDetection - LastWrite - - - - DisableCustomerExperienceImprovementProgramParticipation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SQM_DisableCEIP - LastWrite - - - - DisableDeletingUserVisitedWebsites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~DeleteBrowsingHistory - DBHDisableDeleteHistory - LastWrite - - - - DisableEnclosureDownloading - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Downloading_of_Enclosures - LastWrite - - - - DisableEncryptionSupport - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_SetWinInetProtocols - LastWrite - - - - DisableFeedsBackgroundSync - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~RSS_Feeds - Disable_Background_Syncing - LastWrite - - - - DisableFirstRunWizard - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoFirstRunCustomise - LastWrite - - - - DisableFlipAheadFeature - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableFlipAhead - LastWrite - - - - DisableGeolocation - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - GeolocationDisable - LastWrite - - - - DisableIgnoringCertificateErrors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL - NoCertError - LastWrite - - - - DisableInPrivateBrowsing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~CategoryPrivacy - DisableInPrivateBrowsing - LastWrite - - - - DisableProcessesInEnhancedProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_EnableEnhancedProtectedMode64Bit - LastWrite - - - - DisableProxyChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictProxy - LastWrite - - - - DisableSearchProviderChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoSearchProvider - LastWrite - - - - DisableSecondaryHomePageChange - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SecondaryHomePages - LastWrite - - - - DisableSecuritySettingsCheck - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Security_Settings_Check - LastWrite - - - - DisableUpdateCheck - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NoUpdateCheck - LastWrite - - - - DisableWebAddressAutoComplete - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - RestrictWebAddressSuggest - LastWrite - - - - DoNotAllowActiveXControlsInProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage - Advanced_DisableEPMCompat - LastWrite - - - - DoNotAllowUsersToAddSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Security_zones_map_edit - LastWrite - - - - DoNotAllowUsersToChangePolicies - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Security_options_edit - LastWrite - - - - DoNotBlockOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisable - LastWrite - - - - DoNotBlockOutdatedActiveXControlsOnSpecificDomains - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDomainAllowlist - LastWrite - - - - IncludeAllLocalSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_IncludeUnspecifiedLocalSites - LastWrite - - - - IncludeAllNetworkPaths - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage - IZ_UNCAsIntranet - LastWrite - - - - InternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAccessDataSourcesAcrossDomains_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarActiveXURLaction_1 - LastWrite - - - - InternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNotificationBarDownloadURLaction_1 - LastWrite - - - - InternetZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowPasteViaScript_1 - LastWrite - - - - InternetZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDropOrPasteFiles_1 - LastWrite - - - - InternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyFontDownload_1 - LastWrite - - - - InternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyZoneElevationURLaction_1 - LastWrite - - - - InternetZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_XAML_1 - LastWrite - - - - InternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet - LastWrite - - - - InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowTDCControl_Both_Internet - LastWrite - - - - InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_WebBrowserControl_1 - LastWrite - - - - InternetZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyWindowsRestrictionsURLaction_1 - LastWrite - - - - InternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_AllowScriptlets_1 - LastWrite - - - - InternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_Phishing_1 - LastWrite - - - - InternetZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_ScriptStatusBar_1 - LastWrite - - - - InternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyUserdataPersistence_1 - LastWrite - - - - InternetZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAllowVBScript_1 - LastWrite - - - - InternetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 - LastWrite - - - - InternetZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadSignedActiveX_1 - LastWrite - - - - InternetZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDownloadUnsignedActiveX_1 - LastWrite - - - - InternetZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyTurnOnXSSFilter_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet - LastWrite - - - - InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet - LastWrite - - - - InternetZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyMimeSniffingURLaction_1 - LastWrite - - - - InternetZoneEnableProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_TurnOnProtectedMode_1 - LastWrite - - - - InternetZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_LocalPathForUpload_1 - LastWrite - - - - InternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyScriptActiveXNotMarkedSafe_1 - LastWrite - - - - InternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyJavaPermissions_1 - LastWrite - - - - InternetZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_1 - LastWrite - - - - InternetZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyLogon_1 - LastWrite - - - - InternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyNavigateSubframesAcrossDomains_1 - LastWrite - - - - InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicySignedFrameworkComponentsURLaction_1 - LastWrite - - - - InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_Policy_UnsafeFiles_1 - LastWrite - - - - InternetZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone - IZ_PolicyBlockPopupWindows_1 - LastWrite - - - - IntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAccessDataSourcesAcrossDomains_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarActiveXURLaction_3 - LastWrite - - - - IntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNotificationBarDownloadURLaction_3 - LastWrite - - - - IntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyFontDownload_3 - LastWrite - - - - IntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyZoneElevationURLaction_3 - LastWrite - - - - IntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_3 - LastWrite - - - - IntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_AllowScriptlets_3 - LastWrite - - - - IntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_Policy_Phishing_3 - LastWrite - - - - IntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyUserdataPersistence_3 - LastWrite - - - - IntranetZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 - LastWrite - - - - IntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyScriptActiveXNotMarkedSafe_3 - LastWrite - - - - IntranetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyJavaPermissions_3 - LastWrite - - - - IntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone - IZ_PolicyNavigateSubframesAcrossDomains_3 - LastWrite - - - - LocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAccessDataSourcesAcrossDomains_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarActiveXURLaction_9 - LastWrite - - - - LocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNotificationBarDownloadURLaction_9 - LastWrite - - - - LocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyFontDownload_9 - LastWrite - - - - LocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyZoneElevationURLaction_9 - LastWrite - - - - LocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_9 - LastWrite - - - - LocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_AllowScriptlets_9 - LastWrite - - - - LocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_Policy_Phishing_9 - LastWrite - - - - LocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyUserdataPersistence_9 - LastWrite - - - - LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 - LastWrite - - - - LocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyScriptActiveXNotMarkedSafe_9 - LastWrite - - - - LocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyJavaPermissions_9 - LastWrite - - - - LocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone - IZ_PolicyNavigateSubframesAcrossDomains_9 - LastWrite - - - - LockedDownInternetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyFontDownload_2 - LastWrite - - - - LockedDownInternetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyZoneElevationURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_2 - LastWrite - - - - LockedDownInternetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_AllowScriptlets_2 - LastWrite - - - - LockedDownInternetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_Policy_Phishing_2 - LastWrite - - - - LockedDownInternetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyUserdataPersistence_2 - LastWrite - - - - LockedDownInternetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_2 - LastWrite - - - - LockedDownInternetZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyJavaPermissions_2 - LastWrite - - - - LockedDownInternetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_2 - LastWrite - - - - LockedDownIntranetJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyJavaPermissions_4 - LastWrite - - - - LockedDownIntranetZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyFontDownload_4 - LastWrite - - - - LockedDownIntranetZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyZoneElevationURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_4 - LastWrite - - - - LockedDownIntranetZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_AllowScriptlets_4 - LastWrite - - - - LockedDownIntranetZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_Policy_Phishing_4 - LastWrite - - - - LockedDownIntranetZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyUserdataPersistence_4 - LastWrite - - - - LockedDownIntranetZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_4 - LastWrite - - - - LockedDownIntranetZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_4 - LastWrite - - - - LockedDownLocalMachineZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyFontDownload_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyZoneElevationURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_AllowScriptlets_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_Policy_Phishing_10 - LastWrite - - - - LockedDownLocalMachineZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyUserdataPersistence_10 - LastWrite - - - - LockedDownLocalMachineZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_10 - LastWrite - - - - LockedDownLocalMachineZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyJavaPermissions_10 - LastWrite - - - - LockedDownLocalMachineZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_10 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyFontDownload_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_AllowScriptlets_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_Policy_Phishing_8 - LastWrite - - - - LockedDownRestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyUserdataPersistence_8 - LastWrite - - - - LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_8 - LastWrite - - - - LockedDownRestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyJavaPermissions_8 - LastWrite - - - - LockedDownRestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_8 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyAccessDataSourcesAcrossDomains_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarActiveXURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNotificationBarDownloadURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyFontDownload_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyZoneElevationURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUnsignedFrameworkComponentsURLaction_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_AllowScriptlets_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_Policy_Phishing_6 - LastWrite - - - - LockedDownTrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyUserdataPersistence_6 - LastWrite - - - - LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyScriptActiveXNotMarkedSafe_6 - LastWrite - - - - LockedDownTrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyJavaPermissions_6 - LastWrite - - - - LockedDownTrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown - IZ_PolicyNavigateSubframesAcrossDomains_6 - LastWrite - - - - MimeSniffingSafetyFeatureInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMimeSniffingSafetyFeature - IESF_PolicyExplorerProcesses_6 - LastWrite - - - - MKProtocolSecurityRestrictionInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryMKProtocolSecurityRestriction - IESF_PolicyExplorerProcesses_3 - LastWrite - - - - NewTabDefaultPage - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - NewTabAction - LastWrite - - - - NotificationBarInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryInformationBar - IESF_PolicyExplorerProcesses_10 - LastWrite - - - - PreventManagingSmartScreenFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Disable_Managing_Safety_Filter_IE9 - LastWrite - - - - PreventPerUserInstallationOfActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - DisablePerUserActiveXInstall - LastWrite - - - - ProtectionFromZoneElevationInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryProtectionFromZoneElevation - IESF_PolicyExplorerProcesses_9 - LastWrite - - - - RemoveRunThisTimeButtonForOutdatedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement - VerMgmtDisableRunThisTime - LastWrite - - - - RestrictActiveXInstallInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictActiveXInstall - IESF_PolicyExplorerProcesses_11 - LastWrite - - - - RestrictedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneAllowActiveScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyActiveScripting_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowBinaryAndScriptBehaviors - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBinaryBehaviors_7 - LastWrite - - - - RestrictedSitesZoneAllowCopyPasteViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowPasteViaScript_7 - LastWrite - - - - RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDropOrPasteFiles_7 - LastWrite - - - - RestrictedSitesZoneAllowFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFileDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyFontDownload_7 - LastWrite - - - - RestrictedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyZoneElevationURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowLoadingOfXAMLFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_XAML_7 - LastWrite - - - - RestrictedSitesZoneAllowMETAREFRESH - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowMETAREFRESH_7 - LastWrite - - - - RestrictedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowTDCControl_Both_Restricted - LastWrite - - - - RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_WebBrowserControl_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptInitiatedWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyWindowsRestrictionsURLaction_7 - LastWrite - - - - RestrictedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_AllowScriptlets_7 - LastWrite - - - - RestrictedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_Phishing_7 - LastWrite - - - - RestrictedSitesZoneAllowUpdatesToStatusBarViaScript - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_ScriptStatusBar_7 - LastWrite - - - - RestrictedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyUserdataPersistence_7 - LastWrite - - - - RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAllowVBScript_7 - LastWrite - - - - RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneDownloadSignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadSignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneDownloadUnsignedActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDownloadUnsignedActiveX_7 - LastWrite - - - - RestrictedSitesZoneEnableCrossSiteScriptingFilter - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyTurnOnXSSFilter_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted - LastWrite - - - - RestrictedSitesZoneEnableMIMESniffing - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyMimeSniffingURLaction_7 - LastWrite - - - - RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_LocalPathForUpload_7 - LastWrite - - - - RestrictedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyJavaPermissions_7 - LastWrite - - - - RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLaunchAppsAndFilesInIFRAME_7 - LastWrite - - - - RestrictedSitesZoneLogonOptions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyLogon_7 - LastWrite - - - - RestrictedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_7 - LastWrite - - - - RestrictedSitesZoneRunActiveXControlsAndPlugins - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyRunActiveXControls_7 - LastWrite - - - - RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicySignedFrameworkComponentsURLaction_7 - LastWrite - - - - RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptActiveXMarkedSafe_7 - LastWrite - - - - RestrictedSitesZoneScriptingOfJavaApplets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyScriptingOfJavaApplets_7 - LastWrite - - - - RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_UnsafeFiles_7 - LastWrite - - - - RestrictedSitesZoneTurnOnProtectedMode - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_Policy_TurnOnProtectedMode_7 - LastWrite - - - - RestrictedSitesZoneUsePopupBlocker - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone - IZ_PolicyBlockPopupWindows_7 - LastWrite - - - - RestrictFileDownloadInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryRestrictFileDownload - IESF_PolicyExplorerProcesses_12 - LastWrite - - - - ScriptedWindowSecurityRestrictionsInternetExplorerProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_CategoryScriptedWindowSecurityRestrictions - IESF_PolicyExplorerProcesses_8 - LastWrite - - - - SearchProviderList - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - SpecificSearchProvider - LastWrite - - - - SecurityZonesUseOnlyMachineSettings - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - Security_HKLM_only - LastWrite - - - - SpecifyUseOfActiveXInstallerService - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer - OnlyUseAXISForActiveXInstall - LastWrite - - - - TrustedSitesZoneAllowAccessToDataSources - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAccessDataSourcesAcrossDomains_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarActiveXURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowAutomaticPromptingForFileDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNotificationBarDownloadURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowFontDownloads - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyFontDownload_5 - LastWrite - - - - TrustedSitesZoneAllowLessPrivilegedSites - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyZoneElevationURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowNETFrameworkReliantComponents - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUnsignedFrameworkComponentsURLaction_5 - LastWrite - - - - TrustedSitesZoneAllowScriptlets - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_AllowScriptlets_5 - LastWrite - - - - TrustedSitesZoneAllowSmartScreenIE - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_Policy_Phishing_5 - LastWrite - - - - TrustedSitesZoneAllowUserDataPersistence - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyUserdataPersistence_5 - LastWrite - - - - TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 - LastWrite - - - - TrustedSitesZoneInitializeAndScriptActiveXControls - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyScriptActiveXNotMarkedSafe_5 - LastWrite - - - - TrustedSitesZoneJavaPermissions - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyJavaPermissions_5 - LastWrite - - - - TrustedSitesZoneNavigateWindowsAndFrames - - - - - - - - - - - - - - - - - text/plain - - phone - inetres.admx - inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone - IZ_PolicyNavigateSubframesAcrossDomains_5 - LastWrite - - - - - Kerberos - - - - - - - - - - - - - - - - - - - AllowForestSearchOrder - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - ForestSearch - LastWrite - - - - KerberosClientSupportsClaimsCompoundArmor - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - EnableCbacAndArmor - LastWrite - - - - RequireKerberosArmoring - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - ClientRequireFast - LastWrite - - - - RequireStrictKDCValidation - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - ValidateKDC - LastWrite - - - - SetMaximumContextTokenSize - - - - - - - - - - - - - - - - - text/plain - - phone - Kerberos.admx - Kerberos~AT~System~kerberos - MaxTokenSize - LastWrite - - - - UPNNameHints - - - - - - Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. - - This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. - - - - - - - - - - - text/plain - - phone - LastWrite - 0xF000 - - - - - KioskBrowser - - - - - - - - - - - - - - - - - - - BlockedUrlExceptions - - - - - - List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - BlockedUrls - - - - - - List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers can not navigate to. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - DefaultURL - - - - - - Configures the default URL kiosk browsers to navigate on launch and restart. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - EnableEndSessionButton - - - - - 0 - Enable/disable kiosk browser's end session button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableHomeButton - - - - - 0 - Enable/disable kiosk browser's home button. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - EnableNavigationButtons - - - - - 0 - Enable/disable kiosk browser's navigation buttons (forward/back). - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - RestartOnIdleTime - - - - - 0 - Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - LanmanWorkstation - - - - - - - - - - - - - - - - - - - EnableInsecureGuestLogons - - - - - 0 - - - - - - - - - - - - text/plain - - - LanmanWorkstation.admx - LanmanWorkstation~AT~Network~Cat_LanmanWorkstation - Pol_EnableInsecureGuestLogons - LowestValueMostSecure - - - - - Licensing - - - - - - - - - - - - - - - - - - - AllowWindowsEntitlementReactivation - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - AVSValidationGP.admx - AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform - AllowWindowsEntitlementReactivation - LowestValueMostSecure - - - - DisallowKMSClientOnlineAVSValidation - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - AVSValidationGP.admx - AVSValidationGP~AT~WindowsComponents~SoftwareProtectionPlatform - NoAcquireGT - LowestValueMostSecure - - - - - LocalPoliciesSecurityOptions - - - - - - - - - - - - - - - - - - - Accounts_BlockMicrosoftAccounts - - - - - 0 - This policy setting prevents users from adding new Microsoft accounts on this computer. - -If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. - -If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. - -If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Block Microsoft accounts - LastWrite - - - - Accounts_EnableAdministratorAccountStatus - - - - - 0 - This security setting determines whether the local Administrator account is enabled or disabled. - -Notes - -If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. -Disabling the Administrator account can become a maintenance issue under certain circumstances. - -Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Administrator account status - LastWrite - - - - Accounts_EnableGuestAccountStatus - - - - - 0 - This security setting determines if the Guest account is enabled or disabled. - -Default: Disabled. - -Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Guest account status - LastWrite - - - - Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly - - - - - 1 - Accounts: Limit local account use of blank passwords to console logon only - -This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. - -Default: Enabled. - - -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. -If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. - -Notes - -This setting does not affect logons that use domain accounts. -It is possible for applications that use remote interactive logons to bypass this setting. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Limit local account use of blank passwords to console logon only - LastWrite - - - - Accounts_RenameAdministratorAccount - - - - - Administrator - Accounts: Rename administrator account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. - -Default: Administrator. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Rename administrator account - LastWrite - - - - Accounts_RenameGuestAccount - - - - - Guest - Accounts: Rename guest account - -This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. - -Default: Guest. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Accounts: Rename guest account - LastWrite - - - - Devices_AllowedToFormatAndEjectRemovableMedia - - - - - 0 - Devices: Allowed to format and eject removable media - -This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: - -Administrators -Administrators and Interactive Users - -Default: This policy is not defined and only Administrators have this ability. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Allowed to format and eject removable media - LastWrite - - - - Devices_AllowUndockWithoutHavingToLogon - - - - - 1 - Devices: Allow undock without having to log on -This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. -Default: Enabled. - -Caution -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Allow undock without having to log on - LastWrite - - - - Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters - - - - - 0 - Devices: Prevent users from installing printer drivers when connecting to shared printers - -For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. - -Default on servers: Enabled. -Default on workstations: Disabled - -Notes - -This setting does not affect the ability to add a local printer. -This setting does not affect Administrators. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Prevent users from installing printer drivers - LastWrite - - - - Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly - - - - - 0 - Devices: Restrict CD-ROM access to locally logged-on user only - -This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. - -If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. - -Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Devices: Restrict CD-ROM access to locally logged-on user only - LastWrite - - - - InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked - - - - - 1 - Interactive Logon:Display user information when the session is locked -User display name, domain and user names (1) -User display name only (2) -Do not display user information (3) -Domain and user names only (4) - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Display user information when the session is locked - LastWrite - - - - InteractiveLogon_DoNotDisplayLastSignedIn - - - - - 0 - Interactive logon: Don't display last signed-in -This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Don't display last signed-in - LastWrite - - - - InteractiveLogon_DoNotDisplayUsernameAtSignIn - - - - - 1 - Interactive logon: Don't display username at sign-in -This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. -If this policy is enabled, the username will not be shown. - -If this policy is disabled, the username will be shown. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Don't display username at sign-in - LastWrite - - - - InteractiveLogon_DoNotRequireCTRLALTDEL - - - - - 1 - Interactive logon: Do not require CTRL+ALT+DEL - -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. - -If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. - -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. - -Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. -Default on stand-alone computers: Enabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Do not require CTRL+ALT+DEL - LastWrite - - - - InteractiveLogon_MachineInactivityLimit - - - - - 0 - Interactive logon: Machine inactivity limit. - -Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. - -Default: not enforced. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Machine inactivity limit - LastWrite - - - - InteractiveLogon_MessageTextForUsersAttemptingToLogOn - - - - - - Interactive logon: Message text for users attempting to log on - -This security setting specifies a text message that is displayed to users when they log on. - -This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. - -Default: No message. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Message text for users attempting to log on - LastWrite - 0xF000 - - - - InteractiveLogon_MessageTitleForUsersAttemptingToLogOn - - - - - - Interactive logon: Message title for users attempting to log on - -This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. - -Default: No message. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Message title for users attempting to log on - LastWrite - - - - InteractiveLogon_SmartCardRemovalBehavior - - - - - 0 - Interactive logon: Smart card removal behavior - -This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. - -The options are: - - No Action - Lock Workstation - Force Logoff - Disconnect if a Remote Desktop Services session - -If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. - -If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. - -If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. - -Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - -Default: This policy is not defined, which means that the system treats it as No action. - -On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Interactive logon: Smart card removal behavior - LastWrite - - - - MicrosoftNetworkClient_DigitallySignCommunicationsAlways - - - - - 0 - Microsoft network client: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB client component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. - -If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. - -Default: Disabled. - -Important - -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Digitally sign communications (always) - LastWrite - - - - MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees - - - - - 1 - Microsoft network client: Digitally sign communications (if server agrees) - -This security setting determines whether the SMB client attempts to negotiate SMB packet signing. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. - -If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Digitally sign communications (if server agrees) - LastWrite - - - - MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers - - - - - 0 - Microsoft network client: Send unencrypted password to connect to third-party SMB servers - -If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. - -Sending unencrypted passwords is a security risk. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network client: Send unencrypted password to third-party SMB servers - LastWrite - - - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways - - - - - 0 - Microsoft network server: Digitally sign communications (always) - -This security setting determines whether packet signing is required by the SMB server component. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. - -If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. - -Default: - -Disabled for member servers. -Enabled for domain controllers. - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. - -Important - -For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: -Microsoft network server: Digitally sign communications (if server agrees) - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: -HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network server: Digitally sign communications (always) - LastWrite - - - - MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees - - - - - 0 - Microsoft network server: Digitally sign communications (if client agrees) - -This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. - -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. - -If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. - -Default: Enabled on domain controllers only. - -Important - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature - -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network server: Digitally sign communications (if client agrees) - LastWrite - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts - - - - - 1 - Network access: Do not allow anonymous enumeration of SAM accounts - -This security setting determines what additional permissions will be granted for anonymous connections to the computer. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. - -This security option allows additional restrictions to be placed on anonymous connections as follows: - -Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. -Disabled: No additional restrictions. Rely on default permissions. - -Default on workstations: Enabled. -Default on server:Enabled. - -Important - -This policy has no impact on domain controllers. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Do not allow anonymous enumeration of SAM accounts - LastWrite - - - - NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares - - - - - 0 - Network access: Do not allow anonymous enumeration of SAM accounts and shares - -This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. - -Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Do not allow anonymous enumeration of SAM accounts and shares - LastWrite - - - - NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares - - - - - 1 - Network access: Restrict anonymous access to Named Pipes and Shares - -When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: - -Network access: Named pipes that can be accessed anonymously -Network access: Shares that can be accessed anonymously -Default: Enabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Restrict anonymous access to Named Pipes and Shares - LastWrite - - - - NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM - - - - - - Network access: Restrict clients allowed to make remote calls to SAM - -This policy setting allows you to restrict remote rpc connections to SAM. - -If not selected, the default security descriptor will be used. - -This policy is supported on at least Windows Server 2016. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network access: Restrict clients allowed to make remote calls to SAM - LastWrite - - - - NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM - - - - - 1 - Network security: Allow Local System to use computer identity for NTLM - -This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. - -If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. - -If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. - -By default, this policy is enabled on Windows 7 and above. - -By default, this policy is disabled on Windows Vista. - -This policy is supported on at least Windows Vista or Windows Server 2008. - -Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Allow Local System to use computer identity for NTLM - LastWrite - - - - NetworkSecurity_AllowPKU2UAuthenticationRequests - - - - - 1 - Network security: Allow PKU2U authentication requests to this computer to use online identities. - -This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Allow PKU2U authentication requests to this computer to use online identities. - LastWrite - - - - NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange - - - - - 1 - Network security: Do not store LAN Manager hash value on next password change - -This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. - - -Default on Windows Vista and above: Enabled -Default on Windows XP: Disabled. - -Important - -Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Do not store LAN Manager hash value on next password change - LastWrite - - - - NetworkSecurity_LANManagerAuthenticationLevel - - - - - 3 - Network security LAN Manager authentication level - -This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: - -Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. - -Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - -Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). - -Important - -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. - -Default: - -Windows 2000 and windows XP: send LM and NTLM responses - -Windows Server 2003: Send NTLM response only - -Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: LAN Manager authentication level - HighestValueMostSecure - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients - - - - - 536870912 - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - -This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. -Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Minimum session security for NTLM SSP based (including secure RPC) clients - HighestValueMostSecure - - - - NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers - - - - - 536870912 - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - -This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: - -Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. -Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. - -Default: - -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. - -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Minimum session security for NTLM SSP based (including secure RPC) servers - HighestValueMostSecure - - - - NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication - - - - - - Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. - -If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. - -If you do not configure this policy setting, no exceptions will be applied. - -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication - LastWrite - - - - NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic - - - - - 0 - Network security: Restrict NTLM: Audit Incoming NTLM Traffic - -This policy setting allows you to audit incoming NTLM traffic. - -If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. - -If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. - -If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Audit Incoming NTLM Traffic - HighestValueMostSecure - - - - NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic - - - - - 0 - Network security: Restrict NTLM: Incoming NTLM traffic - -This policy setting allows you to deny or allow incoming NTLM traffic. - -If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. - -If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. - -If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Incoming NTLM traffic - HighestValueMostSecure - - - - NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers - - - - - 0 - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - -This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. - -If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. - -If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. - -If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. - -This policy is supported on at least Windows 7 or Windows Server 2008 R2. - -Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - HighestValueMostSecure - - - - Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn - - - - - 1 - Shutdown: Allow system to be shut down without having to log on - -This security setting determines whether a computer can be shut down without having to log on to Windows. - -When this policy is enabled, the Shut Down command is available on the Windows logon screen. - -When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. - -Default on workstations: Enabled. -Default on servers: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Shutdown: Allow system to be shut down without having to log on - LastWrite - - - - Shutdown_ClearVirtualMemoryPageFile - - - - - 0 - Shutdown: Clear virtual memory pagefile - -This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. - -Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. - -When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. - -Default: Disabled. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Shutdown: Clear virtual memory pagefile - LastWrite - - - - UserAccountControl_AllowUIAccessApplicationsToPromptForElevation - - - - - 0 - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. - -This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - -• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. - -• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop - LastWrite - - - - UserAccountControl_BehaviorOfTheElevationPromptForAdministrators - - - - - 5 - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - -This policy setting controls the behavior of the elevation prompt for administrators. - -The options are: - -• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - -• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - -• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - LastWrite - - - - UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers - - - - - 3 - User Account Control: Behavior of the elevation prompt for standard users -This policy setting controls the behavior of the elevation prompt for standard users. - -The options are: - -• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. - -• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Behavior of the elevation prompt for standard users - LastWrite - - - - UserAccountControl_DetectApplicationInstallationsAndPromptForElevation - - - - - 1 - User Account Control: Detect application installations and prompt for elevation - -This policy setting controls the behavior of application installation detection for the computer. - -The options are: - -Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - -Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Detect application installations and prompt for elevation - LastWrite - - - - UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated - - - - - 0 - User Account Control: Only elevate executable files that are signed and validated - -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. - -The options are: - -• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. - -• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Only elevate executables that are signed and validated - LastWrite - - - - UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations - - - - - 1 - User Account Control: Only elevate UIAccess applications that are installed in secure locations - -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - -- …\Program Files\, including subfolders -- …\Windows\system32\ -- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows - -Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. - -The options are: - -• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - -• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Only elevate UIAccess applications that are installed in secure locations - LastWrite - - - - UserAccountControl_RunAllAdministratorsInAdminApprovalMode - - - - - 1 - User Account Control: Turn on Admin Approval Mode - -This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. - -The options are: - -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Run all administrators in Admin Approval Mode - LastWrite - - - - UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation - - - - - 1 - User Account Control: Switch to the secure desktop when prompting for elevation - -This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. - -The options are: - -• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - -• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Switch to the secure desktop when prompting for elevation - LastWrite - - - - UserAccountControl_UseAdminApprovalMode - - - - - 0 - User Account Control: Use Admin Approval Mode for the built-in Administrator account - -This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. - -The options are: - -• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. - -• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Admin Approval Mode for the Built-in Administrator account - LastWrite - - - - UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations - - - - - 1 - User Account Control: Virtualize file and registry write failures to per-user locations - -This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. - -The options are: - -• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. - -• Disabled: Applications that write data to protected locations fail. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - User Account Control: Virtualize file and registry write failures to per-user locations - LastWrite - - - - - LocalUsersAndGroups - - - - - - - - - - - - - - - - - - - Configure - - - - - - This Setting allows an administrator to manage local groups on a Device. - Possible settings: - 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. - When using Update, existing group members that are not specified in the policy remain untouched. - 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. - When using Replace, existing group membership is replaced by the list of members specified in - the add member section. This option works in the same way as a Restricted Group and any group - members that are not specified in the policy are removed. - Caution: If the same group is configured with both Replace and Update, then Replace will win. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - - - - - - - - - Group Configuration Action - - - - - - - - Group Member to Add - - - - - - - - Group Member to Remove - - - - - - - - Group property to configure - - - - - - - - - - - - - - - - Local Group Configuration - - - - - - - - - - - LockDown - - - - - - - - - - - - - - - - - - - AllowEdgeSwipe - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - EdgeUI.admx - EdgeUI~AT~WindowsComponents~EdgeUI - AllowEdgeSwipe - LowestValueMostSecure - - - - - Maps - - - - - - - - - - - - - - - - - - - AllowOfflineMapsDownloadOverMeteredConnection - - - - - 65535 - - - - - - - - - - - - text/plain - - - LastWrite - - - - EnableOfflineMapsAutoUpdate - - - - - 65535 - - - - - - - - - - - - text/plain - - - WinMaps.admx - WinMaps~AT~WindowsComponents~Maps - TurnOffAutoUpdate - LastWrite - - - - - Messaging - - - - - - - - - - - - - - - - - - - AllowMessageSync - - - - - 1 - This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. - - - - - - - - - - - text/plain - - - messaging.admx - messaging~AT~WindowsComponents~Messaging_Category - AllowMessageSync - LowestValueMostSecure - - - - AllowMMS - - - - - 1 - This policy setting allows you to enable or disable the sending and receiving cellular MMS messages. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowRCS - - - - - 1 - This policy setting allows you to enable or disable the sending and receiving of cellular RCS (Rich Communication Services) messages. - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - - MixedReality - - - - - - - - - - - - - - - - - - - AADGroupMembershipCacheValidityInDays - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - BrightnessButtonDisabled - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - FallbackDiagnostics - - - - - 2 - - - - - - - - - - - - text/plain - - - LastWrite - - - - MicrophoneDisabled - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - VolumeButtonDisabled - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - MSSecurityGuide - - - - - - - - - - - - - - - - - - - ApplyUACRestrictionsToLocalAccountsOnNetworkLogon - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0201_LATFP - LastWrite - - - - ConfigureSMBV1ClientDriver - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0002_SMBv1_ClientDriver - LastWrite - - - - ConfigureSMBV1Server - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0001_SMBv1_Server - LastWrite - - - - EnableStructuredExceptionHandlingOverwriteProtection - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0102_SEHOP - LastWrite - - - - TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0101_WDPUA - LastWrite - - - - WDigestAuthentication - - - - - - - - - - - - - - - - - text/plain - - phone - SecGuide.admx - SecGuide~AT~Cat_SecGuide - Pol_SecGuide_0202_WDigestAuthn - LastWrite - - - - - MSSLegacy - - - - - - - - - - - - - - - - - - - AllowICMPRedirectsToOverrideOSPFGeneratedRoutes - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_EnableICMPRedirect - LastWrite - - - - AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_NoNameReleaseOnDemand - LastWrite - - - - IPSourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_DisableIPSourceRouting - LastWrite - - - - IPv6SourceRoutingProtectionLevel - - - - - - - - - - - - - - - - - text/plain - - phone - mss-legacy.admx - Mss-legacy~AT~Cat_MSS - Pol_MSS_DisableIPSourceRoutingIPv6 - LastWrite - - - - - NetworkIsolation - - - - - - - - - - - - - - - - - - - EnterpriseCloudResources - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_EnterpriseCloudResourcesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_EnterpriseCloudResources - LastWrite - - - - EnterpriseInternalProxyServers - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_Intranet_ProxiesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Intranet_Proxies - LastWrite - - - - EnterpriseIPRange - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_PrivateSubnetBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_PrivateSubnet - LastWrite - - - - EnterpriseIPRangesAreAuthoritative - - - - - 0 - - - - - - - - - - - - text/plain - - - NetworkIsolation.admx - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Authoritative_Subnet - LastWrite - - - - EnterpriseNetworkDomainNames - - - - - - - - - - - - - - - - - text/plain - - LastWrite - - - - EnterpriseProxyServers - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_Domain_ProxiesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Domain_Proxies - LastWrite - - - - EnterpriseProxyServersAreAuthoritative - - - - - 0 - - - - - - - - - - - - text/plain - - - NetworkIsolation.admx - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_Authoritative_Proxies - LastWrite - - - - NeutralResources - - - - - - - - - - - - - - - - - text/plain - - NetworkIsolation.admx - WF_NetIsolation_NeutralResourcesBox - NetworkIsolation~AT~Network~WF_Isolation - WF_NetIsolation_NeutralResources - LastWrite - - - - - Notifications - - - - - - - - - - - - - - - - - - - DisallowCloudNotification - - - - - 0 - - - - - - - - - - - - text/plain - - - WPN.admx - WPN~AT~StartMenu~NotificationsCategory - NoCloudNotification - LowestValueMostSecure - - - - - Power - - - - - - - - - - - - - - - - - - - AllowStandbyStatesWhenSleepingOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - AllowStandbyStatesDC_2 - LastWrite - - - - AllowStandbyWhenSleepingPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - AllowStandbyStatesAC_2 - LastWrite - - - - DisplayOffTimeoutOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerVideoSettingsCat - VideoPowerDownTimeOutDC_2 - LastWrite - - - - DisplayOffTimeoutPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerVideoSettingsCat - VideoPowerDownTimeOutAC_2 - LastWrite - - - - EnergySaverBatteryThresholdOnBattery - - - - - 0 - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - EnterEsBattThreshold - Power~AT~System~PowerManagementCat~EnergySaverSettingsCat - EsBattThresholdDC - LastWrite - - - - EnergySaverBatteryThresholdPluggedIn - - - - - 0 - This policy setting allows you to specify battery charge level at which Energy Saver is turned on. - -If you enable this policy setting, you must provide a percent value, indicating the battery charge level. Energy Saver will be automatically turned on at (and below) the specified level. - -If you disable or do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - EnterEsBattThreshold - Power~AT~System~PowerManagementCat~EnergySaverSettingsCat - EsBattThresholdAC - LastWrite - - - - HibernateTimeoutOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCHibernateTimeOut_2 - LastWrite - - - - HibernateTimeoutPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACHibernateTimeOut_2 - LastWrite - - - - RequirePasswordWhenComputerWakesOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCPromptForPasswordOnResume_2 - LastWrite - - - - RequirePasswordWhenComputerWakesPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACPromptForPasswordOnResume_2 - LastWrite - - - - SelectLidCloseActionOnBattery - - - - - 1 - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectDCSystemLidAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - DCSystemLidAction_2 - LastWrite - - - - SelectLidCloseActionPluggedIn - - - - - 1 - This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectACSystemLidAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - ACSystemLidAction_2 - LastWrite - - - - SelectPowerButtonActionOnBattery - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectDCPowerButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - DCPowerButtonAction_2 - LastWrite - - - - SelectPowerButtonActionPluggedIn - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the power button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectACPowerButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - ACPowerButtonAction_2 - LastWrite - - - - SelectSleepButtonActionOnBattery - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectDCSleepButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - DCSleepButtonAction_2 - LastWrite - - - - SelectSleepButtonActionPluggedIn - - - - - 1 - This policy setting specifies the action that Windows takes when a user presses the sleep button. - -Possible actions include: -0 - Take no action -1 - Sleep -2 - Hibernate -3 - Shut down - -If you enable this policy setting, you must select the desired action. - -If you disable this policy setting or do not configure it, users can see and change this setting. - - - - - - - - - - - text/plain - - - Power.admx - SelectACSleepButtonAction - Power~AT~System~PowerManagementCat~PowerButtonActionSettingsCat - ACSleepButtonAction_2 - LastWrite - - - - StandbyTimeoutOnBattery - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCStandbyTimeOut_2 - LastWrite - - - - StandbyTimeoutPluggedIn - - - - - - - - - - - - - - - - - text/plain - - phone - power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACStandbyTimeOut_2 - LastWrite - - - - TurnOffHybridSleepOnBattery - - - - - 0 - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - DCStandbyWithHiberfileEnable_2 - LastWrite - - - - TurnOffHybridSleepPluggedIn - - - - - 0 - This policy setting allows you to turn off hybrid sleep. - -If you set this to 0, a hiberfile is not generated when the system transitions to sleep (Stand By). - -If you do not configure this policy setting, users control this setting. - - - - - - - - - - - text/plain - - - Power.admx - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - ACStandbyWithHiberfileEnable_2 - LastWrite - - - - UnattendedSleepTimeoutOnBattery - - - - - 0 - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - Power.admx - EnterUnattendedSleepTimeOut - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - UnattendedSleepTimeOutDC - LastWrite - - - - UnattendedSleepTimeoutPluggedIn - - - - - 0 - This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. - -If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep. - -If you disable or do not configure this policy setting, users control this setting. - -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - - - - - - - - - - - text/plain - - - Power.admx - EnterUnattendedSleepTimeOut - Power~AT~System~PowerManagementCat~PowerSleepSettingsCat - UnattendedSleepTimeOutAC - LastWrite - - - - - Printers - - - - - - - - - - - - - - - - - - - PointAndPrintRestrictions - - - - - - - - - - - - - - - - - text/plain - - phone - Printing.admx - Printing~AT~ControlPanel~CplPrinters - PointAndPrint_Restrictions_Win7 - LastWrite - - - - PublishPrinters - - - - - - - - - - - - - - - - - text/plain - - phone - Printing2.admx - Printing2~AT~Printers - PublishPrinters - LastWrite - - - - - Privacy - - - - - - - - - - - - - - - - - - - AllowAutoAcceptPairingAndPrivacyConsentPrompts - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowCrossDeviceClipboard - - - - - 1 - Allows syncing of Clipboard across devices under the same Microsoft account. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - AllowCrossDeviceClipboard - LowestValueMostSecure - - - - AllowInputPersonalization - - - - - 1 - - - - - - - - - - - - text/plain - - - 10.0.10240 - Globalization.admx - Globalization~AT~ControlPanel~RegionalOptions - AllowInputPersonalization - LowestValueMostSecure - - - - DisableAdvertisingId - - - - - 65535 - - - - - - - - - - - - text/plain - - - UserProfiles.admx - UserProfiles~AT~System~UserProfiles - DisableAdvertisingId - LowestValueMostSecureZeroHasNoLimits - - - - DisablePrivacyExperience - - - - - 0 - Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - - - - - - - - - - - text/plain - - - phone - OOBE.admx - OOBE~AT~WindowsComponents~OOBE - DisablePrivacyExperience - LowestValueMostSecure - - - - EnableActivityFeed - - - - - 1 - Enables ActivityFeed, which is responsible for mirroring different activity types (as applicable) across device graph of the user. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - EnableActivityFeed - HighestValueMostSecure - - - - LetAppsAccessAccountInfo - - - - - 0 - This policy setting specifies whether Windows apps can access account information. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessAccountInfo_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - HighestValueMostSecure - - - - LetAppsAccessAccountInfo_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessAccountInfo_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - LastWrite - ; - - - - LetAppsAccessAccountInfo_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessAccountInfo_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - LastWrite - ; - - - - LetAppsAccessAccountInfo_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessAccountInfo_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessAccountInfo - LastWrite - ; - - - - LetAppsAccessBackgroundSpatialPerception - - - - - 0 - This policy setting specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessCalendar - - - - - 0 - This policy setting specifies whether Windows apps can access the calendar. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessCalendar_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - HighestValueMostSecure - - - - LetAppsAccessCalendar_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCalendar_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - LastWrite - ; - - - - LetAppsAccessCalendar_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCalendar_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - LastWrite - ; - - - - LetAppsAccessCalendar_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCalendar_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCalendar - LastWrite - ; - - - - LetAppsAccessCallHistory - - - - - 0 - This policy setting specifies whether Windows apps can access call history. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessCallHistory_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - HighestValueMostSecure - - - - LetAppsAccessCallHistory_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCallHistory_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - LastWrite - ; - - - - LetAppsAccessCallHistory_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCallHistory_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - LastWrite - ; - - - - LetAppsAccessCallHistory_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCallHistory_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCallHistory - LastWrite - ; - - - - LetAppsAccessCamera - - - - - 0 - This policy setting specifies whether Windows apps can access the camera. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessCamera_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - HighestValueMostSecure - - - - LetAppsAccessCamera_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCamera_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - LastWrite - ; - - - - LetAppsAccessCamera_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCamera_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - LastWrite - ; - - - - LetAppsAccessCamera_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessCamera_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessCamera - LastWrite - ; - - - - LetAppsAccessContacts - - - - - 0 - This policy setting specifies whether Windows apps can access contacts. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessContacts_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - HighestValueMostSecure - - - - LetAppsAccessContacts_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessContacts_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - LastWrite - ; - - - - LetAppsAccessContacts_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessContacts_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - LastWrite - ; - - - - LetAppsAccessContacts_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessContacts_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessContacts - LastWrite - ; - - - - LetAppsAccessEmail - - - - - 0 - This policy setting specifies whether Windows apps can access email. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessEmail_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - HighestValueMostSecure - - - - LetAppsAccessEmail_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessEmail_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - LastWrite - ; - - - - LetAppsAccessEmail_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessEmail_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - LastWrite - ; - - - - LetAppsAccessEmail_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessEmail_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessEmail - LastWrite - ; - - - - LetAppsAccessGazeInput - - - - - 0 - This policy setting specifies whether Windows apps can access the eye tracker. - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - LetAppsAccessGazeInput_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessGazeInput_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessGazeInput_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - - - - text/plain - - LastWrite - ; - - - - LetAppsAccessLocation - - - - - 0 - This policy setting specifies whether Windows apps can access location. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessLocation_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - HighestValueMostSecure - - - - LetAppsAccessLocation_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessLocation_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - LastWrite - ; - - - - LetAppsAccessLocation_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessLocation_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - LastWrite - ; - - - - LetAppsAccessLocation_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessLocation_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessLocation - LastWrite - ; - - - - LetAppsAccessMessaging - - - - - 0 - This policy setting specifies whether Windows apps can read or send messages (text or MMS). - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessMessaging_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - HighestValueMostSecure - - - - LetAppsAccessMessaging_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMessaging_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - LastWrite - ; - - - - LetAppsAccessMessaging_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMessaging_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - LastWrite - ; - - - - LetAppsAccessMessaging_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMessaging_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMessaging - LastWrite - ; - - - - LetAppsAccessMicrophone - - - - - 0 - This policy setting specifies whether Windows apps can access the microphone. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessMicrophone_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - HighestValueMostSecure - - - - LetAppsAccessMicrophone_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMicrophone_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - LastWrite - ; - - - - LetAppsAccessMicrophone_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMicrophone_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - LastWrite - ; - - - - LetAppsAccessMicrophone_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMicrophone_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMicrophone - LastWrite - ; - - - - LetAppsAccessMotion - - - - - 0 - This policy setting specifies whether Windows apps can access motion data. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessMotion_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - HighestValueMostSecure - - - - LetAppsAccessMotion_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMotion_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - LastWrite - ; - - - - LetAppsAccessMotion_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMotion_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - LastWrite - ; - - - - LetAppsAccessMotion_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessMotion_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessMotion - LastWrite - ; - - - - LetAppsAccessNotifications - - - - - 0 - This policy setting specifies whether Windows apps can access notifications. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessNotifications_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - HighestValueMostSecure - - - - LetAppsAccessNotifications_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessNotifications_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - LastWrite - ; - - - - LetAppsAccessNotifications_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessNotifications_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - LastWrite - ; - - - - LetAppsAccessNotifications_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessNotifications_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessNotifications - LastWrite - ; - - - - LetAppsAccessPhone - - - - - 0 - This policy setting specifies whether Windows apps can make phone calls - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessPhone_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - HighestValueMostSecure - - - - LetAppsAccessPhone_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessPhone_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - LastWrite - ; - - - - LetAppsAccessPhone_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessPhone_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - LastWrite - ; - - - - LetAppsAccessPhone_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessPhone_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessPhone - LastWrite - ; - - - - LetAppsAccessRadios - - - - - 0 - This policy setting specifies whether Windows apps have access to control radios. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessRadios_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - HighestValueMostSecure - - - - LetAppsAccessRadios_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessRadios_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - LastWrite - ; - - - - LetAppsAccessRadios_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessRadios_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - LastWrite - ; - - - - LetAppsAccessRadios_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessRadios_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessRadios - LastWrite - ; - - - - LetAppsAccessTasks - - - - - 0 - This policy setting specifies whether Windows apps can access tasks. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessTasks_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - HighestValueMostSecure - - - - LetAppsAccessTasks_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTasks_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - LastWrite - ; - - - - LetAppsAccessTasks_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTasks_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - LastWrite - ; - - - - LetAppsAccessTasks_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTasks_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTasks - LastWrite - ; - - - - LetAppsAccessTrustedDevices - - - - - 0 - This policy setting specifies whether Windows apps can access trusted devices. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsAccessTrustedDevices_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - HighestValueMostSecure - - - - LetAppsAccessTrustedDevices_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTrustedDevices_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - LastWrite - ; - - - - LetAppsAccessTrustedDevices_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTrustedDevices_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - LastWrite - ; - - - - LetAppsAccessTrustedDevices_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsAccessTrustedDevices - LastWrite - ; - - - - LetAppsActivateWithVoice - - - - - 0 - This policy setting specifies whether Windows apps can be activated by voice. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsActivateWithVoice_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsActivateWithVoice - HighestValueMostSecure - - - - LetAppsActivateWithVoiceAboveLock - - - - - 0 - This policy setting specifies whether Windows apps can be activated by voice while the system is locked. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsActivateWithVoiceAboveLock_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsActivateWithVoiceAboveLock - HighestValueMostSecure - - - - LetAppsGetDiagnosticInfo - - - - - 0 - This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - HighestValueMostSecure - - - - LetAppsGetDiagnosticInfo_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - LastWrite - ; - - - - LetAppsGetDiagnosticInfo_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - LastWrite - ; - - - - LetAppsGetDiagnosticInfo_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsGetDiagnosticInfo - LastWrite - ; - - - - LetAppsRunInBackground - - - - - 0 - This policy setting specifies whether Windows apps can run in the background. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsRunInBackground_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - HighestValueMostSecure - - - - LetAppsRunInBackground_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsRunInBackground_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - LastWrite - ; - - - - LetAppsRunInBackground_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsRunInBackground_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - LastWrite - ; - - - - LetAppsRunInBackground_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsRunInBackground_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsRunInBackground - LastWrite - ; - - - - LetAppsSyncWithDevices - - - - - 0 - This policy setting specifies whether Windows apps can communicate with unpaired wireless devices. - - - - - - - - - - - text/plain - - - AppPrivacy.admx - LetAppsSyncWithDevices_Enum - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - HighestValueMostSecure - - - - LetAppsSyncWithDevices_ForceAllowTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsSyncWithDevices_ForceAllowTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - LastWrite - ; - - - - LetAppsSyncWithDevices_ForceDenyTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not be allowed to communicate with unpaired wireless devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsSyncWithDevices_ForceDenyTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - LastWrite - ; - - - - LetAppsSyncWithDevices_UserInControlOfTheseApps - - - - - - List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'Communicate with unpaired wireless devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - - - - - text/plain - - AppPrivacy.admx - LetAppsSyncWithDevices_UserInControlOfTheseApps_List - AppPrivacy~AT~WindowsComponents~AppPrivacy - LetAppsSyncWithDevices - LastWrite - ; - - - - PublishUserActivities - - - - - 1 - Allows apps/system to publish 'User Activities' into ActivityFeed. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - PublishUserActivities - HighestValueMostSecure - - - - UploadUserActivities - - - - - 1 - Allows ActivityFeed to upload published 'User Activities'. - - - - - - - - - - - text/plain - - - OSPolicy.admx - OSPolicy~AT~System~PolicyPolicies - UploadUserActivities - HighestValueMostSecure - - - - - RemoteAssistance - - - - - - - - - - - - - - - - - - - CustomizeWarningMessages - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Options - LastWrite - - - - SessionLogging - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Logging - LastWrite - - - - SolicitedRemoteAssistance - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Solicit - LastWrite - - - - UnsolicitedRemoteAssistance - - - - - - - - - - - - - - - - - text/plain - - phone - remoteassistance.admx - RemoteAssistance~AT~System~RemoteAssist - RA_Unsolicit - LastWrite - - - - - RemoteDesktopServices - - - - - - - - - - - - - - - - - - - AllowUsersToConnectRemotely - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_CONNECTIONS - TS_DISABLE_CONNECTIONS - LastWrite - - - - ClientConnectionEncryptionLevel - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY - TS_ENCRYPTION_POLICY - LastWrite - - - - DoNotAllowDriveRedirection - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_REDIRECTION - TS_CLIENT_DRIVE_M - LastWrite - - - - DoNotAllowPasswordSaving - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_CLIENT - TS_CLIENT_DISABLE_PASSWORD_SAVING_2 - LastWrite - - - - PromptForPasswordUponConnection - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY - TS_PASSWORD - LastWrite - - - - RequireSecureRPCCommunication - - - - - - - - - - - - - - - - - text/plain - - phone - terminalserver.admx - TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY - TS_RPC_ENCRYPTION - LastWrite - - - - - RemoteManagement - - - - - - - - - - - - - - - - - - - AllowBasicAuthentication_Client - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - AllowBasic_2 - LastWrite - - - - AllowBasicAuthentication_Service - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowBasic_1 - LastWrite - - - - AllowCredSSPAuthenticationClient - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRMClient - AllowCredSSP_2 - LastWrite - - - - AllowCredSSPAuthenticationService - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowCredSSP_1 - LastWrite - - - - AllowRemoteServerManagement - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowAutoConfig - LastWrite - - - - AllowUnencryptedTraffic_Client - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - AllowUnencrypted_2 - LastWrite - - - - AllowUnencryptedTraffic_Service - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - AllowUnencrypted_1 - LastWrite - - - - DisallowDigestAuthentication - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - DisallowDigest - LastWrite - - - - DisallowNegotiateAuthenticationClient - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - DisallowNegotiate_2 - LastWrite - - - - DisallowNegotiateAuthenticationService - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - DisallowNegotiate_1 - LastWrite - - - - DisallowStoringOfRunAsCredentials - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - DisableRunAs - LastWrite - - - - SpecifyChannelBindingTokenHardeningLevel - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - CBTHardeningLevel_1 - LastWrite - - - - TrustedHosts - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMClient - TrustedHosts - LastWrite - - - - TurnOnCompatibilityHTTPListener - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - HttpCompatibilityListener - LastWrite - - - - TurnOnCompatibilityHTTPSListener - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteManagement.admx - WindowsRemoteManagement~AT~WindowsComponents~WinRM~WinRMService - HttpsCompatibilityListener - LastWrite - - - - - RemoteProcedureCall - - - - - - - - - - - - - - - - - - - RestrictUnauthenticatedRPCClients - - - - - - - - - - - - - - - - - text/plain - - phone - rpc.admx - RPC~AT~System~Rpc - RpcRestrictRemoteClients - LastWrite - - - - RPCEndpointMapperClientAuthentication - - - - - - - - - - - - - - - - - text/plain - - phone - rpc.admx - RPC~AT~System~Rpc - RpcEnableAuthEpResolution - LastWrite - - - - - RemoteShell - - - - - - - - - - - - - - - - - - - AllowRemoteShellAccess - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - AllowRemoteShellAccess - LastWrite - - - - MaxConcurrentUsers - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxConcurrentUsers - LastWrite - - - - SpecifyIdleTimeout - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - IdleTimeout - LastWrite - - - - SpecifyMaxMemory - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxMemoryPerShellMB - LastWrite - - - - SpecifyMaxProcesses - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxProcessesPerShell - LastWrite - - - - SpecifyMaxRemoteShells - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - MaxShellsPerUser - LastWrite - - - - SpecifyShellTimeout - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsRemoteShell.admx - WindowsRemoteShell~AT~WindowsComponents~WinRS - ShellTimeOut - LastWrite - - - - - RestrictedGroups - - - - - - - - - - - - - - - - - - - ConfigureGroupMembership - - - - - - This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. -Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - - - - - - - - - Restricted Group Member - - - - - - - - - - - - - - - Restricted Group - - - - - - ]]> - - - - - Search - - - - - - - - - - - - - - - - - - - AllowCloudSearch - - - - - 2 - - - - - - - - - - - - text/plain - - - Search.admx - AllowCloudSearch_Dropdown - Search~AT~WindowsComponents~Search - AllowCloudSearch - LowestValueMostSecure - - - - AllowCortanaInAAD - - - - - 0 - This features allows you to show the cortana opt-in page during Windows Setup - - - - - - - - - - - text/plain - - - phone - Search.admx - Search~AT~WindowsComponents~Search - AllowCortanaInAAD - LowestValueMostSecure - - - - AllowFindMyFiles - - - - - 1 - This feature allows you to disable find my files completely on the machine - - - - - - - - - - - text/plain - - - phone - Search.admx - Search~AT~WindowsComponents~Search - AllowFindMyFiles - LowestValueMostSecure - - - - AllowIndexingEncryptedStoresOrItems - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowIndexingEncryptedStoresOrItems - LowestValueMostSecure - - - - AllowSearchToUseLocation - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowSearchToUseLocation - LowestValueMostSecure - - - - AllowStoringImagesFromVisionSearch - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowUsingDiacritics - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AllowUsingDiacritics - HighestValueMostSecure - - - - AllowWindowsIndexer - - - - - 3 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AlwaysUseAutoLangDetection - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - AlwaysUseAutoLangDetection - HighestValueMostSecure - - - - DisableBackoff - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - DisableBackoff - HighestValueMostSecure - - - - DisableRemovableDriveIndexing - - - - - 0 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - DisableRemovableDriveIndexing - HighestValueMostSecure - - - - DoNotUseWebResults - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - DoNotUseWebResults - LowestValueMostSecure - - - - PreventIndexingLowDiskSpaceMB - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - StopIndexingOnLimitedHardDriveSpace - HighestValueMostSecure - - - - PreventRemoteQueries - - - - - 1 - - - - - - - - - - - - text/plain - - - Search.admx - Search~AT~WindowsComponents~Search - PreventRemoteQueries - HighestValueMostSecure - - - - SafeSearchPermissions - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - HighestValueMostSecure - - - - - Security - - - - - - - - - - - - - - - - - - - AllowAddProvisioningPackage - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowManualRootCertificateInstallation - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - AllowRemoveProvisioningPackage - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AntiTheftMode - - - - - 1 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - ClearTPMIfNotReady - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - TPM.admx - TPM~AT~System~TPMCategory - ClearTPMIfNotReady_Name - HighestValueMostSecure - - - - ConfigureWindowsPasswords - - - - - 2 - Configures the use of passwords for Windows features - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - PreventAutomaticDeviceEncryptionForAzureADJoinedDevices - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - RecoveryEnvironmentAuthentication - - - - - 0 - This policy controls the requirement of Admin Authentication in RecoveryEnvironment. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - RequireDeviceEncryption - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - RequireProvisioningPackageSignature - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - RequireRetrieveHealthCertificateOnBoot - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - ServiceControlManager - - - - - - - - - - - - - - - - - - - SvchostProcessMitigation - - - - - - - - - - - - - - - - - text/plain - - phone - ServiceControlManager.admx - ServiceControlManager~AT~System~ServiceControlManagerCat~ServiceControlManagerSecurityCat - SvchostProcessMitigationEnable - LastWrite - - - - - Settings - - - - - - - - - - - - - - - - - - - AllowAutoPlay - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowDataSense - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowDateTime - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowEditDeviceName - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowLanguage - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowOnlineTips - - - - - 1 - - - - - - - - - - - - text/plain - - - ControlPanel.admx - CheckBox_AllowOnlineTips - ControlPanel~AT~ControlPanel - AllowOnlineTips - LowestValueMostSecure - - - - AllowPowerSleep - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowRegion - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowSignInOptions - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowVPN - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowWorkplace - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowYourAccount - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - PageVisibilityList - - - - - - - - - - - - - - - - - text/plain - - ControlPanel.admx - SettingsPageVisibilityBox - ControlPanel~AT~ControlPanel - SettingsPageVisibility - LastWrite - - - - - SmartScreen - - - - - - - - - - - - - - - - - - - EnableAppInstallControl - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - SmartScreen.admx - SmartScreen~AT~WindowsComponents~SmartScreen~Shell - ConfigureAppInstallControl - LastWrite - - - - EnableSmartScreenInShell - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - SmartScreen.admx - SmartScreen~AT~WindowsComponents~SmartScreen~Shell - ShellConfigureSmartScreen - HighestValueMostSecure - - - - PreventOverrideForFilesInShell - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - SmartScreen.admx - ShellConfigureSmartScreen_Dropdown - SmartScreen~AT~WindowsComponents~SmartScreen~Shell - ShellConfigureSmartScreen - HighestValueMostSecure - - - - - Speech - - - - - - - - - - - - - - - - - - - AllowSpeechModelUpdate - - - - - 1 - - - - - - - - - - - - text/plain - - - Speech.admx - Speech~AT~WindowsComponents~Speech - AllowSpeechModelUpdate - LowestValueMostSecure - - - - - Start - - - - - - - - - - - - - - - - - - - AllowPinnedFolderDocuments - - - - - 65535 - This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderDownloads - - - - - 65535 - This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderFileExplorer - - - - - 65535 - This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderHomeGroup - - - - - 65535 - This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderMusic - - - - - 65535 - This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderNetwork - - - - - 65535 - This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderPersonalFolder - - - - - 65535 - This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderPictures - - - - - 65535 - This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderSettings - - - - - 65535 - This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowPinnedFolderVideos - - - - - 65535 - This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - DisableContextMenus - - - - - 0 - Enabling this policy prevents context menus from being invoked in the Start Menu. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - DisableContextMenusInStart - LowestValueMostSecure - - - - ForceStartSize - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - ForceStartSize - LastWrite - - - - HideAppList - - - - - 0 - Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - HideChangeAccountSettings - - - - - 0 - Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideFrequentlyUsedApps - - - - - 0 - Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoFrequentUsedPrograms - LowestValueMostSecure - - - - HideHibernate - - - - - 0 - Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideLock - - - - - 0 - Enabling this policy hides "Lock" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HidePowerButton - - - - - 0 - Enabling this policy hides the power button from appearing in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideRecentJumplists - - - - - 0 - Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - NoRecentDocsHistory - LowestValueMostSecure - - - - HideRecentlyAddedApps - - - - - 0 - Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. - - - - - - - - - - - text/plain - - - phone - StartMenu.admx - StartMenu~AT~StartMenu - HideRecentlyAddedApps - LowestValueMostSecure - - - - HideRestart - - - - - 0 - Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideShutDown - - - - - 0 - Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideSignOut - - - - - 0 - Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideSleep - - - - - 0 - Enabling this policy hides "Sleep" from appearing in the power button in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideSwitchAccount - - - - - 0 - Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - HideUserTile - - - - - 0 - Enabling this policy hides the user tile from appearing in the start menu. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - ImportEdgeAssets - - - - - - This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - NoPinningToTaskbar - - - - - 0 - This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - StartLayout - - - - - - - - - - - - - - - - - text/plain - - phone - StartMenu.admx - StartMenu~AT~StartMenu - LockedStartLayout - LastWrite - - - - - Storage - - - - - - - - - - - - - - - - - - - AllowDiskHealthModelUpdates - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - StorageHealth.admx - StorageHealth~AT~System~StorageHealth - SH_AllowDiskHealthModelUpdates - LastWrite - - - - AllowStorageSenseGlobal - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_AllowStorageSenseGlobal - LastWrite - - - - AllowStorageSenseTemporaryFilesCleanup - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_AllowStorageSenseTemporaryFilesCleanup - LastWrite - - - - ConfigStorageSenseCloudContentDehydrationThreshold - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseCloudContentDehydrationThreshold - LastWrite - - - - ConfigStorageSenseDownloadsCleanupThreshold - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseDownloadsCleanupThreshold - LastWrite - - - - ConfigStorageSenseGlobalCadence - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseGlobalCadence - LastWrite - - - - ConfigStorageSenseRecycleBinCleanupThreshold - - - - - 30 - - - - - - - - - - - - text/plain - - - phone - StorageSense.admx - StorageSense~AT~System~StorageSense - SS_ConfigStorageSenseRecycleBinCleanupThreshold - LastWrite - - - - EnhancedStorageDevices - - - - - - - - - - - - - - - - - text/plain - - phone - enhancedstorage.admx - EnhancedStorage~AT~System~EnStorDeviceAccess - TCGSecurityActivationDisabled - LastWrite - - - - RemovableDiskDenyWriteAccess - - - - - 0 - If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - - - - - - - - - - - text/plain - - - RemovableStorage.admx - RemovableDisks_DenyWrite_Access_2 - RemovableStorage~AT~System~DeviceAccess - RemovableDisks_DenyWrite_Access_2 - HighestValueMostSecure - - - - - System - - - - - - - - - - - - - - - - - - - AllowBuildPreview - - - - - 2 - - - - - - - - - - - - text/plain - - - AllowBuildPreview.admx - AllowBuildPreview~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowBuildPreview - LowestValueMostSecure - - - - AllowCommercialDataPipeline - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowCommercialDataPipeline - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowCommercialDataPipeline - HighestValueMostSecure - - - - AllowDeviceNameInDiagnosticData - - - - - 0 - This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowDeviceNameInDiagnosticData - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowDeviceNameInDiagnosticData - LowestValueMostSecure - - - - AllowEmbeddedMode - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowExperimentation - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowFontProviders - - - - - 1 - - - - - - - - - - - - text/plain - - - GroupPolicy.admx - GroupPolicy~AT~Network~NetworkFonts - EnableFontProviders - LowestValueMostSecure - - - - AllowLocation - - - - - 1 - - - - - - - - - - - - text/plain - - - Sensors.admx - Sensors~AT~LocationAndSensors - DisableLocation_2 - LowestValueMostSecure - - - - AllowStorageCard - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowTelemetry - - - - - 3 - - - - - - - - - - - - text/plain - - - DataCollection.admx - AllowTelemetry - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - AllowTelemetry - LowestValueMostSecure - - - - AllowUserToResetPhone - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - BootStartDriverInitialization - - - - - - - - - - - - - - - - - text/plain - - phone - earlylauncham.admx - EarlyLaunchAM~AT~System~ELAMCategory - POL_DriverLoadPolicy_Name - LastWrite - - - - ConfigureMicrosoft365UploadEndpoint - - - - - - - - - - - - - - - - - text/plain - - DataCollection.admx - ConfigureMicrosoft365UploadEndpoint - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureMicrosoft365UploadEndpoint - LastWrite - - - - ConfigureTelemetryOptInChangeNotification - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - ConfigureTelemetryOptInChangeNotification - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryOptInChangeNotification - HighestValueMostSecure - - - - ConfigureTelemetryOptInSettingsUx - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - ConfigureTelemetryOptInSettingsUx - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - ConfigureTelemetryOptInSettingsUx - HighestValueMostSecure - - - - DisableDeviceDelete - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - DisableDeviceDelete - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DisableDeviceDelete - HighestValueMostSecure - - - - DisableDiagnosticDataViewer - - - - - 0 - - - - - - - - - - - - text/plain - - - DataCollection.admx - DisableDiagnosticDataViewer - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DisableDiagnosticDataViewer - HighestValueMostSecure - - - - DisableDirectXDatabaseUpdate - - - - - 0 - This group policy allows control over whether the DirectX Database Updater task will be run on the system. - - - - - - - - - - - text/plain - - - GroupPolicy.admx - GroupPolicy~AT~Network~DirectXDatabase - DisableDirectXDatabaseUpdate - HighestValueMostSecure - - - - DisableEnterpriseAuthProxy - - - - - 0 - This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - - - - - - - - - text/plain - - - DataCollection.admx - DisableEnterpriseAuthProxy - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - DisableEnterpriseAuthProxy - LastWrite - - - - DisableOneDriveFileSync - - - - - 0 - This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Microsoft Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - - - - - - - - - text/plain - - - SkyDrive.admx - SkyDrive~AT~WindowsComponents~OneDrive - PreventOnedriveFileSync - HighestValueMostSecure - - - - DisableSystemRestore - - - - - - - - - - - - - - - - - text/plain - - phone - systemrestore.admx - SystemRestore~AT~System~SR - SR_DisableSR - LastWrite - - - - FeedbackHubAlwaysSaveDiagnosticsLocally - - - - - 0 - Diagnostic files created when a feedback is filed in the Feedback Hub app will always be saved locally. If this policy is not present or set to false, users will be presented with the option to save locally. The default is to not save locally. - - - - - - - - - - - text/plain - - - LastWrite - - - - LimitEnhancedDiagnosticDataWindowsAnalytics - - - - - 0 - This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. By configuring this setting, you're not stopping people from changing their Telemetry Settings; however, you are stopping them from choosing a higher level than you've set for the organization. To enable this behavior, you must complete two steps: 1. Enable this policy setting 2. Set Allow Telemetry to level 2 (Enhanced).If you configure these policy settings together, you'll send the Basic level of diagnostic data plus any additional events that are required for Windows Analytics, to Microsoft. The additional events are documented here: https://go.Microsoft.com/fwlink/?linked=847594. If you enable Enhanced diagnostic data in the Allow Telemetry policy setting, but you don't configure this policy setting, you'll send the required events for Windows Analytics, plus any additional Enhanced level telemetry data to Microsoft. This setting has no effect on computers configured to send Full, Basic, or Security level diagnostic data to Microsoft. If you disable or don't configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the Allow Telemetry policy setting. - - - - - - - - - - - text/plain - - - DataCollection.admx - LimitEnhancedDiagnosticDataWindowsAnalytics - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - LimitEnhancedDiagnosticDataWindowsAnalytics - LowestValueMostSecure - - - - TelemetryProxy - - - - - - - - - - - - - - - - - text/plain - - DataCollection.admx - TelemetryProxyName - DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds - TelemetryProxy - LastWrite - - - - TurnOffFileHistory - - - - - 0 - This policy setting allows you to turn off File History. - -If you enable this policy setting, File History cannot be activated to create regular, automatic backups. - -If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups. - - - - - - - - - - - text/plain - - - FileHistory.admx - FileHistory~AT~WindowsComponents~FileHistory - DisableFileHistory - LowestValueMostSecure - - - - - SystemServices - - - - - - - - - - - - - - - - - - - ConfigureHomeGroupListenerServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - HomeGroup Listener - LastWrite - - - - ConfigureHomeGroupProviderServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - HomeGroup Provider - LastWrite - - - - ConfigureXboxAccessoryManagementServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Accessory Management Service - LastWrite - - - - ConfigureXboxLiveAuthManagerServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Live Auth Manager - LastWrite - - - - ConfigureXboxLiveGameSaveServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Live Game Save - LastWrite - - - - ConfigureXboxLiveNetworkingServiceStartupMode - - - - - 3 - This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~System Services - Xbox Live Networking Service - LastWrite - - - - - TaskManager - - - - - - - - - - - - - - - - - - - AllowEndTask - - - - - 1 - This setting determines whether non-administrators can use Task Manager to end tasks - enabled (1) or disabled (0). Default: enabled - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - TaskScheduler - - - - - - - - - - - - - - - - - - - EnableXboxGameSaveTask - - - - - 0 - This setting determines whether the specific task is enabled (1) or disabled (0). Default: Enabled. - - - - - - - - - - - text/plain - - - phone - LastWrite - - - - - TextInput - - - - - - - - - - - - - - - - - - - AllowHardwareKeyboardTextSuggestions - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowIMELogging - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowIMENetworkAccess - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowInputPanel - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowJapaneseIMESurrogatePairCharacters - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - AllowJapaneseIVSCharacters - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowJapaneseNonPublishingStandardGlyph - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowJapaneseUserDictionary - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - LowestValueMostSecure - - - - AllowKeyboardTextSuggestions - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowLanguageFeaturesUninstall - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - TextInput.admx - TextInput~AT~WindowsComponents~TextInput - AllowLanguageFeaturesUninstall - LowestValueMostSecure - - - - AllowLinguisticDataCollection - - - - - 1 - - - - - - - - - - - - text/plain - - - TextInput.admx - TextInput~AT~WindowsComponents~TextInput - AllowLinguisticDataCollection - LowestValueMostSecure - - - - ConfigureJapaneseIMEVersion - - - - - 0 - This policy allows the IT admin to configure the Microsoft Japanese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Japanese IME is on by default. Allow to control Microsoft Japanese IME version to use. -1 - The previous version of Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. -2 - The new Microsoft Japanese IME is always selected. Not allowed to control Microsoft Japanese IME version to use. - - - - - - - - - - - text/plain - - - EAIME.admx - EAIME~AT~WindowsComponents~L_IME - L_ConfigureJapaneseImeVersion - LowestValueMostSecure - - - - ConfigureSimplifiedChineseIMEVersion - - - - - 0 - This policy allows the IT admin to configure the Microsoft Simplified Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Simplified Chinese IME is on by default. Allow to control Microsoft Simplified Chinese IME version to use. -1 - The previous version of Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. -2 - The new Microsoft Simplified Chinese IME is always selected. Not allowed to control Microsoft Simplified Chinese IME version to use. - - - - - - - - - - - text/plain - - - EAIME.admx - EAIME~AT~WindowsComponents~L_IME - L_ConfigureSimplifiedChineseImeVersion - LowestValueMostSecure - - - - ConfigureTraditionalChineseIMEVersion - - - - - 0 - This policy allows the IT admin to configure the Microsoft Traditional Chinese IME version in the desktop. -The following list shows the supported values: -0 (default) – The new Microsoft Traditional Chinese IME is on by default. Allow to control Microsoft Traditional Chinese IME version to use. -1 - The previous version of Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. -2 - The new Microsoft Traditional Chinese IME is always selected. Not allowed to control Microsoft Traditional Chinese IME version to use. - - - - - - - - - - - text/plain - - - EAIME.admx - EAIME~AT~WindowsComponents~L_IME - L_ConfigureTraditionalChineseImeVersion - LowestValueMostSecure - - - - EnableTouchKeyboardAutoInvokeInDesktopMode - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - ExcludeJapaneseIMEExceptJIS0208 - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - ExcludeJapaneseIMEExceptJIS0208andEUDC - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - ExcludeJapaneseIMEExceptShiftJIS - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - HighestValueMostSecure - - - - ForceTouchKeyboardDockedState - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardDictationButtonAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardEmojiButtonAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardFullModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardHandwritingModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardNarrowModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardSplitModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - TouchKeyboardWideModeAvailability - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - - TimeLanguageSettings - - - - - - - - - - - - - - - - - - - AllowSet24HourClock - - - - - 0 - - - - - - - - - - - - text/plain - - - desktop - LowestValueMostSecure - - - - ConfigureTimeZone - - - - - - Specifies the time zone to be applied to the device. This is the standard Windows name for the target time zone. - - - - - - - - - - - text/plain - - phone - LastWrite - - - - - Troubleshooting - - - - - - - - - - - - - - - - - - - AllowRecommendations - - - - - 1 - This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it's applied to their domains/IT environments. -Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied. - -Enabling this policy allows you to configure how recommended troubleshooting is applied on the user's device. You can select from one of the following values: -0 = Turn this feature off. -1 = Turn this feature off but still apply critical troubleshooting. -2 = Notify users when recommended troubleshooting is available, then allow the user to run or ignore it. -3 = Run recommended troubleshooting automatically and notify the user after it's been successfully run. -4 = Run recommended troubleshooting automatically without notifying the user. -5 = Allow the user to choose their own recommended troubleshooting settings. - - - - - - - - - - - text/plain - - - phone - MSDT.admx - MSDT~AT~System~Troubleshooting~WdiScenarioCategory - TroubleshootingAllowRecommendations - LowestValueMostSecure - - - - - Update - - - - - - - - - - - - - - - - - - - ActiveHoursEnd - - - - - 17 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ActiveHoursEndTime - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ActiveHours - LastWrite - - - - ActiveHoursMaxRange - - - - - 18 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ActiveHoursMaxRange - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ActiveHoursMaxRange - LastWrite - - - - ActiveHoursStart - - - - - 8 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ActiveHoursStartTime - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ActiveHours - LastWrite - - - - AllowAutoUpdate - - - - - 6 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateMode - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - AllowAutoWindowsUpdateDownloadOverMeteredNetwork - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AllowAutoWindowsUpdateDownloadOverMeteredNetwork - LastWrite - - - - AllowMUUpdateService - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsUpdate.admx - AllowMUUpdateServiceId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - AllowNonMicrosoftSignedUpdate - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowUpdateService - - - - - 1 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LowestValueMostSecure - - - - AutomaticMaintenanceWakeUp - - - - - 1 - This policy setting allows you to configure Automatic Maintenance wake up policy. - -The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wake policy is explicitly disabled, then this setting has no effect. - -If you enable this policy setting, Automatic Maintenance will attempt to set OS wake policy and make a wake request for the daily scheduled time, if required. - -If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply. - - - - - - - - - - - text/plain - - - msched.admx - msched~AT~WindowsComponents~MaintenanceScheduler - WakeUpPolicy - HighestValueMostSecure - - - - AutoRestartDeadlinePeriodInDays - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartDeadline - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartDeadline - LastWrite - - - - AutoRestartDeadlinePeriodInDaysForFeatureUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartDeadlineForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartDeadline - LastWrite - - - - AutoRestartNotificationSchedule - - - - - 15 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartNotificationSchd - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartNotificationConfig - LastWrite - - - - AutoRestartRequiredNotificationDismissal - - - - - 1 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartRequiredNotificationDismissal - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartRequiredNotificationDismissal - LastWrite - - - - BranchReadinessLevel - - - - - 16 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - BranchReadinessLevelId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - ConfigureDeadlineForFeatureUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineForFeatureUpdates - LastWrite - - - - ConfigureDeadlineForQualityUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineForQualityUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineForQualityUpdates - LastWrite - - - - ConfigureDeadlineGracePeriod - - - - - 2 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineGracePeriod - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineGracePeriod - LastWrite - - - - ConfigureDeadlineNoAutoReboot - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ConfigureDeadlineNoAutoReboot - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - ConfigureDeadlineNoAutoReboot - HighestValueMostSecure - - - - ConfigureFeatureUpdateUninstallPeriod - - - - - 10 - Enable enterprises/IT admin to configure feature update uninstall period - - - - - - - - - - - text/plain - - - LastWrite - - - - DeferFeatureUpdatesPeriodInDays - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferFeatureUpdatesPeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - DeferQualityUpdatesPeriodInDays - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferQualityUpdatesPeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferQualityUpdates - LastWrite - - - - DeferUpdatePeriod - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferUpdatePeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - DeferUpgradePeriod - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferUpgradePeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - DetectionFrequency - - - - - 22 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DetectionFrequency_Hour2 - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DetectionFrequency_Title - LastWrite - - - - DisableDualScan - - - - - 0 - Do not allow update deferral policies to cause scans against Windows Update - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DisableDualScan - LastWrite - - - - DisableWUfBSafeguards - - - - - 0 - - - - - - - - - - - - text/plain - - - LastWrite - - - - EngagedRestartDeadline - - - - - 14 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartDeadline - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartDeadlineForFeatureUpdates - - - - - 14 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartDeadlineForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartSnoozeSchedule - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartSnoozeSchedule - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartSnoozeScheduleForFeatureUpdates - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartSnoozeScheduleForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartTransitionSchedule - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartTransitionSchedule - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - EngagedRestartTransitionScheduleForFeatureUpdates - - - - - 7 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - EngagedRestartTransitionScheduleForFeatureUpdates - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - EngagedRestartTransitionSchedule - LastWrite - - - - ExcludeWUDriversInQualityUpdate - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - ExcludeWUDriversInQualityUpdate - LastWrite - - - - FillEmptyContentUrls - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - CorpWUFillEmptyContentUrls - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - IgnoreMOAppDownloadLimit - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - IgnoreMOUpdateDownloadLimit - - - - - 0 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - ManagePreviewBuilds - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ManagePreviewBuildsId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - ManagePreviewBuilds - LastWrite - - - - PauseDeferrals - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - PauseDeferralsId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - PauseFeatureUpdates - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - PauseFeatureUpdatesId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - PauseFeatureUpdatesStartTime - - - - - - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - PauseFeatureUpdatesStartId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferFeatureUpdates - LastWrite - - - - PauseQualityUpdates - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - PauseQualityUpdatesId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferQualityUpdates - LastWrite - - - - PauseQualityUpdatesStartTime - - - - - - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - PauseQualityUpdatesStartId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - DeferQualityUpdates - LastWrite - - - - PhoneUpdateRestrictions - - - - - 4 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - RequireDeferUpgrade - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - DeferUpgradePeriodId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - DeferUpgrade - LastWrite - - - - RequireUpdateApproval - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecure - - - - ScheduledInstallDay - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchDay - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallEveryWeek - - - - - 1 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchEveryWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallFirstWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchFirstWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallFourthWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ScheduledInstallFourthWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallSecondWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ScheduledInstallSecondWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallThirdWeek - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - ScheduledInstallThirdWeek - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduledInstallTime - - - - - 3 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoUpdateSchTime - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoUpdateCfg - LowestValueMostSecure - - - - ScheduleImminentRestartWarning - - - - - 15 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - RestartWarn - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - RestartWarnRemind - LastWrite - - - - ScheduleRestartWarning - - - - - 4 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - RestartWarnRemind - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - RestartWarnRemind - LastWrite - - - - SetAutoRestartNotificationDisable - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - AutoRestartNotificationSchd - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - AutoRestartNotificationDisable - LastWrite - - - - SetDisablePauseUXAccess - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - SetDisablePauseUXAccess - LastWrite - - - - SetDisableUXWUAccess - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - SetDisableUXWUAccess - LastWrite - - - - SetEDURestart - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - SetEDURestart - LastWrite - - - - SetProxyBehaviorForUpdateDetection - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - SetProxyBehaviorForUpdateDetection - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - TargetReleaseVersion - - - - - - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - TargetReleaseVersionId - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat~DeferUpdateCat - TargetReleaseVersion - LastWrite - - - - UpdateNotificationLevel - - - - - 0 - - - - - - - - - - - - text/plain - - - WindowsUpdate.admx - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - UpdateNotificationLevel - LastWrite - - - - UpdateServiceUrl - - - - - CorpWSUS - - - - - - - - - - - - text/plain - - WindowsUpdate.admx - CorpWUURL_Name - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - UpdateServiceUrlAlternate - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsUpdate.admx - CorpWUContentHost_Name - WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - CorpWuURL - LastWrite - - - - - UserRights - - - - - - - - - - - - - - - - - - - AccessCredentialManagerAsTrustedCaller - - - - - - This user right is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this privilege is given to other entities. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Access Credential Manager ase a trusted caller - LastWrite - 0xF000 - - - - AccessFromNetwork - - - - - - This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Access this computer from the network - LastWrite - 0xF000 - - - - ActAsPartOfTheOperatingSystem - - - - - - This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Act as part of the operating system - LastWrite - 0xF000 - - - - AllowLocalLogOn - - - - - - This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Allow log on locally - LastWrite - 0xF000 - - - - BackupFilesAndDirectories - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Back up files and directories - LastWrite - 0xF000 - - - - ChangeSystemTime - - - - - - This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Change the system time - LastWrite - 0xF000 - - - - CreateGlobalObjects - - - - - - This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create global objects - LastWrite - 0xF000 - - - - CreatePageFile - - - - - - This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create a pagefile - LastWrite - 0xF000 - - - - CreatePermanentSharedObjects - - - - - - This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create permanent shared objects - LastWrite - 0xF000 - - - - CreateSymbolicLinks - - - - - - This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create symbolic links - LastWrite - 0xF000 - - - - CreateToken - - - - - - This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Create a token object - LastWrite - 0xF000 - - - - DebugPrograms - - - - - - This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Debug programs - LastWrite - 0xF000 - - - - DenyAccessFromNetwork - - - - - - This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Deny access to this computer from the network - LastWrite - 0xF000 - - - - DenyLocalLogOn - - - - - - This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Deny log on as a service - LastWrite - 0xF000 - - - - DenyRemoteDesktopServicesLogOn - - - - - - This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Deny log on through Remote Desktop Services - LastWrite - 0xF000 - - - - EnableDelegation - - - - - - This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Enable computer and user accounts to be trusted for delegation - LastWrite - 0xF000 - - - - GenerateSecurityAudits - - - - - - This user right determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service. Shut down system immediately if unable to log security audits security policy setting is enabled. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Generate security audits - LastWrite - 0xF000 - - - - ImpersonateClient - - - - - - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. -1) The access token that is being impersonated is for this user. -2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. -3) The requested level is less than Impersonate, such as Anonymous or Identify. -Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Impersonate a client after authentication - LastWrite - 0xF000 - - - - IncreaseSchedulingPriority - - - - - - This user right determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Increase scheduling priority - LastWrite - 0xF000 - - - - LoadUnloadDeviceDrivers - - - - - - This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Load and unload device drivers - LastWrite - 0xF000 - - - - LockMemory - - - - - - This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Lock pages in memory - LastWrite - 0xF000 - - - - ManageAuditingAndSecurityLog - - - - - - This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Manage auditing and security log - LastWrite - 0xF000 - - - - ManageVolume - - - - - - This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Perform volume maintenance tasks - LastWrite - 0xF000 - - - - ModifyFirmwareEnvironment - - - - - - This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Modify firmware environment values - LastWrite - 0xF000 - - - - ModifyObjectLabel - - - - - - This user right determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Modify an object label - LastWrite - 0xF000 - - - - ProfileSingleProcess - - - - - - This user right determines which users can use performance monitoring tools to monitor the performance of system processes. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Profile single process - LastWrite - 0xF000 - - - - RemoteShutdown - - - - - - This user right determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Force shutdown from a remote system - LastWrite - 0xF000 - - - - RestoreFilesAndDirectories - - - - - - This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Restore files and directories - LastWrite - 0xF000 - - - - TakeOwnership - - - - - - This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. - - - - - - - - - - - text/plain - - phone - Windows Settings~Security Settings~Local Policies~User Rights Assignment - Take ownership of files or other objects - LastWrite - 0xF000 - - - - - Wifi - - - - - - - - - - - - - - - - - - - AllowAutoConnectToWiFiSenseHotspots - - - - - 1 - - - - - - - - - - - - text/plain - - - wlansvc.admx - wlansvc~AT~Network~WlanSvc_Category~WlanSettings_Category - WiFiSense - LowestValueMostSecure - - - - AllowInternetSharing - - - - - 1 - - - - - - - - - - - - text/plain - - - NetworkConnections.admx - NetworkConnections~AT~Network~NetworkConnections - NC_ShowSharedAccessUI - LowestValueMostSecure - - - - AllowManualWiFiConfiguration - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowWiFi - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowWiFiDirect - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - WLANScanMode - - - - - 0 - - - - - - - - - - - - text/plain - - - HighestValueMostSecureZeroHasNoLimits - - - - - WindowsConnectionManager - - - - - - - - - - - - - - - - - - - ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork - - - - - - - - - - - - - - - - - text/plain - - phone - WCM.admx - WCM~AT~Network~WCM_Category - WCM_BlockNonDomain - LastWrite - - - - - WindowsDefenderSecurityCenter - - - - - - - - - - - - - - - - - - - CompanyName - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_CompanyName - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_CompanyName - LastWrite - - - - DisableAccountProtectionUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AccountProtection - AccountProtection_UILockdown - LastWrite - - - - DisableAppBrowserUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection - AppBrowserProtection_UILockdown - LastWrite - - - - DisableClearTpmButton - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_DisableClearTpmButton - LastWrite - - - - DisableDeviceSecurityUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_UILockdown - LastWrite - - - - DisableEnhancedNotifications - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications - Notifications_DisableEnhancedNotifications - LastWrite - - - - DisableFamilyUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FamilyOptions - FamilyOptions_UILockdown - LastWrite - - - - DisableHealthUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DevicePerformanceHealth - DevicePerformanceHealth_UILockdown - LastWrite - - - - DisableNetworkUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~FirewallNetworkProtection - FirewallNetworkProtection_UILockdown - LastWrite - - - - DisableNotifications - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Notifications - Notifications_DisableNotifications - LastWrite - - - - DisableTpmFirmwareUpdateWarning - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_DisableTpmFirmwareUpdateWarning - LastWrite - - - - DisableVirusUI - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection - VirusThreatProtection_UILockdown - LastWrite - - - - DisallowExploitProtectionOverride - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~AppBrowserProtection - AppBrowserProtection_DisallowExploitProtectionOverride - LastWrite - - - - Email - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_Email - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_Email - LastWrite - - - - EnableCustomizedToasts - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_EnableCustomizedToasts - LastWrite - - - - EnableInAppCustomization - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_EnableInAppCustomization - LastWrite - - - - HideRansomwareDataRecovery - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~VirusThreatProtection - VirusThreatProtection_HideRansomwareRecovery - LastWrite - - - - HideSecureBoot - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_HideSecureBoot - LastWrite - - - - HideTPMTroubleshooting - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~DeviceSecurity - DeviceSecurity_HideTPMTroubleshooting - LastWrite - - - - HideWindowsSecurityNotificationAreaControl - - - - - 0 - - - - - - - - - - - - text/plain - - - phone - WindowsDefenderSecurityCenter.admx - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~Systray - Systray_HideSystray - LastWrite - - - - Phone - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_Phone - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_Phone - LastWrite - - - - URL - - - - - - - - - - - - - - - - - text/plain - - phone - WindowsDefenderSecurityCenter.admx - Presentation_EnterpriseCustomization_URL - WindowsDefenderSecurityCenter~AT~WindowsComponents~WindowsDefenderSecurityCenter~EnterpriseCustomization - EnterpriseCustomization_URL - LastWrite - - - - - WindowsInkWorkspace - - - - - - - - - - - - - - - - - - - AllowSuggestedAppsInWindowsInkWorkspace - - - - - 1 - - - - - - - - - - - - text/plain - - - phone - WindowsInkWorkspace.admx - WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace - AllowSuggestedAppsInWindowsInkWorkspace - LowestValueMostSecure - - - - AllowWindowsInkWorkspace - - - - - 2 - - - - - - - - - - - - text/plain - - - phone - WindowsInkWorkspace.admx - AllowWindowsInkWorkspaceDropdown - WindowsInkWorkspace~AT~WindowsComponents~WindowsInkWorkspace - AllowWindowsInkWorkspace - LowestValueMostSecure - - - - - WindowsLogon - - - - - - - - - - - - - - - - - - - AllowAutomaticRestartSignOn - - - - - - - - - - - - - - - - - text/plain - - phone - WinLogon.admx - WinLogon~AT~WindowsComponents~Logon - AutomaticRestartSignOn - LastWrite - - - - ConfigAutomaticRestartSignOn - - - - - - - - - - - - - - - - - text/plain - - phone - WinLogon.admx - WinLogon~AT~WindowsComponents~Logon - ConfigAutomaticRestartSignOn - LastWrite - - - - DisableLockScreenAppNotifications - - - - - - - - - - - - - - - - - text/plain - - phone - logon.admx - Logon~AT~System~Logon - DisableLockScreenAppNotifications - LastWrite - - - - DontDisplayNetworkSelectionUI - - - - - - - - - - - - - - - - - text/plain - - phone - logon.admx - Logon~AT~System~Logon - DontDisplayNetworkSelectionUI - LastWrite - - - - EnableFirstLogonAnimation - - - - - 1 - This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. - -If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation. - -If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services. - -If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation. - -Note: The first sign-in animation will not be shown on Server, so this policy will have no effect. - - - - - - - - - - - text/plain - - - Logon.admx - Logon~AT~System~Logon - EnableFirstLogonAnimation - HighestValueMostSecure - - - - EnumerateLocalUsersOnDomainJoinedComputers - - - - - - - - - - - - - - - - - text/plain - - phone - logon.admx - Logon~AT~System~Logon - EnumerateLocalUsers - LastWrite - - - - HideFastUserSwitching - - - - - 0 - This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. - - - - - - - - - - - text/plain - - - Logon.admx - Logon~AT~System~Logon - HideFastUserSwitching - HighestValueMostSecure - - - - - WindowsPowerShell - - - - - - - - - - - - - - - - - - - TurnOnPowerShellScriptBlockLogging - - - - - - - - - - - - - - - - - text/plain - - phone - PowerShellExecutionPolicy.admx - PowerShellExecutionPolicy~AT~WindowsComponents~PowerShell - EnableScriptBlockLogging - LastWrite - - - - - WirelessDisplay - - - - - - - - - - - - - - - - - - - AllowMdnsAdvertisement - - - - - 1 - This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowMdnsDiscovery - - - - - 1 - This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowProjectionFromPC - - - - - 1 - This policy allows you to turn off projection from a PC. - If you set it to 0, your PC cannot discover or project to other devices. - If you set it to 1, your PC can discover and project to other devices. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowProjectionFromPCOverInfrastructure - - - - - 1 - This policy allows you to turn off projection from a PC over infrastructure. - If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. - If you set it to 1, your PC can discover and project to other devices over infrastructure. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowProjectionToPC - - - - - 1 - This policy setting allows you to turn off projection to a PC - If you set it to 0, your PC isn't discoverable and can't be projected to - If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. - - - - - - - - - - - text/plain - - - phone - WirelessDisplay.admx - WirelessDisplay~AT~WindowsComponents~Connect - AllowProjectionToPC - LowestValueMostSecure - - - - AllowProjectionToPCOverInfrastructure - - - - - 1 - This policy setting allows you to turn off projection to a PC over infrastructure. - If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. - If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - AllowUserInputFromWirelessDisplayReceiver - - - - - 1 - - - - - - - - - - - - text/plain - - - LowestValueMostSecure - - - - RequirePinForPairing - - - - - 0 - This policy setting allows you to require a pin for pairing. - If you set this to 0, a pin isn't required for pairing. - If you set this to 1, the pairing ceremony for new devices will always require a PIN. - If you set this to 2, all pairings will require PIN. - - - - - - - - - - - text/plain - - - WirelessDisplay.admx - WirelessDisplay~AT~WindowsComponents~Connect - RequirePinForPairing - LastWrite - - - - - - - -```