Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
diff --git a/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png b/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png
index 6bf38313ac..a5b77e0b42 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png and b/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 2527387dd9..9e47f6bd79 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/28/2017
+ms.date: 07/07/2017
---
# What's new in MDM enrollment and management
@@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What's new in Windows 10, version 1511](#whatsnew)
- [What's new in Windows 10, version 1607](#whatsnew1607)
- [What's new in Windows 10, version 1703](#whatsnew10)
+- [What's new in Windows 10, version 1709](#whatsnew1709)
- [Breaking changes and known issues](#breaking-changes-and-known-issues)
- [Get command inside an atomic command is not supported](#getcommand)
- [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification)
@@ -913,6 +914,71 @@ For details about Microsoft mobile device management protocols for Windows 10 s
+##
@@ -1241,6 +1337,14 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).
Power/HibernateTimeoutPluggedIn
Power/StandbyTimeoutOnBattery
Power/StandbyTimeoutPluggedIn
+Defender/AttackSurfaceReductionOnlyExclusions
+Defender/AttackSurfaceReductionRules
+Defender/CloudBlockLevel
+Defender/CloudExtendedTimeout
+Defender/EnableGuardMyFolders
+Defender/EnableNetworkProtection
+Defender/GuardedFoldersAllowedApplications
+Defender/GuardedFoldersList
Update/ScheduledInstallEveryWeek
Update/ScheduledInstallFirstWeek
Update/ScheduledInstallFourthWeek
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 44bf627310..baf0b42bec 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -114,21107 +114,3027 @@ The following diagram shows the Policy configuration service provider in tree fo
> [!Note]
> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S.
-
-
-
-## Policies
-
-
-**AboveLock/AllowActionCenterNotifications**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
-  |
- |
- |
- |
- |
-  |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-Specifies whether to allow Action Center notifications above the device lock screen.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**AboveLock/AllowCortanaAboveLock**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**AboveLock/AllowToasts**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether to allow toast notifications above the device lock screen.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Accounts/AllowAddingNonMicrosoftAccountsManually**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether user is allowed to add non-MSA email accounts.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-> [!NOTE]
-> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
-
-
-
-
-**Accounts/AllowMicrosoftAccountConnection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Accounts/AllowMicrosoftAccountSignInAssistant**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
-
-
The following list shows the supported values:
-
-- 0 – Disabled.
-- 1 (default) – Manual start.
-
-
-
-
-**Accounts/DomainNamesForEmailSync**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies a list of the domains that are allowed to sync email on the device.
-
-
The data type is a string.
-
-
The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
-
-
-
-
-**ActiveXControls/ApprovedInstallationSites**
-
-
-This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
-
-If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
-
-If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
-
-Note: Wild card characters cannot be used when specifying the host URLs.
-
-
-
-ADMX Info:
-- GP english name: *Approved Installation Sites for ActiveX Controls*
-- GP name: *ApprovedActiveXInstallSites*
-- GP path: *Windows Components/ActiveX Installer Service*
-- GP ADMX file name: *ActiveXInstallService.admx*
-
-
-
-
-**AppVirtualization/AllowAppVClient**
-
-
-This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
-
-
-
-ADMX Info:
-- GP english name: *Enable App-V Client*
-- GP name: *EnableAppV*
-- GP path: *System/App-V*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/AllowDynamicVirtualization**
-
-
-Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
-
-
-
-ADMX Info:
-- GP english name: *Enable Dynamic Virtualization*
-- GP name: *Virtualization_JITVEnable*
-- GP path: *System/App-V/Virtualization*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/AllowPackageCleanup**
-
-
-Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
-
-
-
-ADMX Info:
-- GP english name: *Enable automatic cleanup of unused appv packages*
-- GP name: *PackageManagement_AutoCleanupEnable*
-- GP path: *System/App-V/Package Management*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/AllowPackageScripts**
-
-
-Enables scripts defined in the package manifest of configuration files that should run.
-
-
-
-ADMX Info:
-- GP english name: *Enable Package Scripts*
-- GP name: *Scripting_Enable_Package_Scripts*
-- GP path: *System/App-V/Scripting*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/AllowPublishingRefreshUX**
-
-
-Enables a UX to display to the user when a publishing refresh is performed on the client.
-
-
-
-ADMX Info:
-- GP english name: *Enable Publishing Refresh UX*
-- GP name: *Enable_Publishing_Refresh_UX*
-- GP path: *System/App-V/Publishing*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/AllowReportingServer**
-
-
-Reporting Server URL: Displays the URL of reporting server.
-
-Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.
-
-Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load.
-
-Repeat reporting for every (days): The periodical interval in days for sending the reporting data.
-
-Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.
-
-Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
-
-
-
-ADMX Info:
-- GP english name: *Reporting Server*
-- GP name: *Reporting_Server_Policy*
-- GP path: *System/App-V/Reporting*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/AllowRoamingFileExclusions**
-
-
-Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
-
-
-
-ADMX Info:
-- GP english name: *Roaming File Exclusions*
-- GP name: *Integration_Roaming_File_Exclusions*
-- GP path: *System/App-V/Integration*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/AllowRoamingRegistryExclusions**
-
-
-Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
-
-
-
-ADMX Info:
-- GP english name: *Roaming Registry Exclusions*
-- GP name: *Integration_Roaming_Registry_Exclusions*
-- GP path: *System/App-V/Integration*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/AllowStreamingAutoload**
-
-
-Specifies how new packages should be loaded automatically by App-V on a specific computer.
-
-
-
-ADMX Info:
-- GP english name: *Specify what to load in background (aka AutoLoad)*
-- GP name: *Steaming_Autoload*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/ClientCoexistenceAllowMigrationmode**
-
-
-Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
-
-
-
-ADMX Info:
-- GP english name: *Enable Migration Mode*
-- GP name: *Client_Coexistence_Enable_Migration_mode*
-- GP path: *System/App-V/Client Coexistence*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/IntegrationAllowRootGlobal**
-
-
-Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
-
-
-
-ADMX Info:
-- GP english name: *Integration Root User*
-- GP name: *Integration_Root_User*
-- GP path: *System/App-V/Integration*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/IntegrationAllowRootUser**
-
-
-Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
-
-
-
-ADMX Info:
-- GP english name: *Integration Root Global*
-- GP name: *Integration_Root_Global*
-- GP path: *System/App-V/Integration*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/PublishingAllowServer1**
-
-
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-
-
-ADMX Info:
-- GP english name: *Publishing Server 1 Settings*
-- GP name: *Publishing_Server1_Policy*
-- GP path: *System/App-V/Publishing*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/PublishingAllowServer2**
-
-
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-
-
-ADMX Info:
-- GP english name: *Publishing Server 2 Settings*
-- GP name: *Publishing_Server2_Policy*
-- GP path: *System/App-V/Publishing*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/PublishingAllowServer3**
-
-
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-
-
-ADMX Info:
-- GP english name: *Publishing Server 3 Settings*
-- GP name: *Publishing_Server3_Policy*
-- GP path: *System/App-V/Publishing*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/PublishingAllowServer4**
-
-
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-
-
-ADMX Info:
-- GP english name: *Publishing Server 4 Settings*
-- GP name: *Publishing_Server4_Policy*
-- GP path: *System/App-V/Publishing*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/PublishingAllowServer5**
-
-
-Publishing Server Display Name: Displays the name of publishing server.
-
-Publishing Server URL: Displays the URL of publishing server.
-
-Global Publishing Refresh: Enables global publishing refresh (Boolean).
-
-Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
-
-Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
-
-Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-User Publishing Refresh: Enables user publishing refresh (Boolean).
-
-User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
-
-User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
-
-User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
-
-
-
-ADMX Info:
-- GP english name: *Publishing Server 5 Settings*
-- GP name: *Publishing_Server5_Policy*
-- GP path: *System/App-V/Publishing*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**
-
-
-Specifies the path to a valid certificate in the certificate store.
-
-
-
-ADMX Info:
-- GP english name: *Certificate Filter For Client SSL*
-- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingAllowHighCostLaunch**
-
-
-This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
-
-
-
-ADMX Info:
-- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
-- GP name: *Streaming_Allow_High_Cost_Launch*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingAllowLocationProvider**
-
-
-Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
-
-
-
-ADMX Info:
-- GP english name: *Location Provider*
-- GP name: *Streaming_Location_Provider*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingAllowPackageInstallationRoot**
-
-
-Specifies directory where all new applications and updates will be installed.
-
-
-
-ADMX Info:
-- GP english name: *Package Installation Root*
-- GP name: *Streaming_Package_Installation_Root*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingAllowPackageSourceRoot**
-
-
-Overrides source location for downloading package content.
-
-
-
-ADMX Info:
-- GP english name: *Package Source Root*
-- GP name: *Streaming_Package_Source_Root*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingAllowReestablishmentInterval**
-
-
-Specifies the number of seconds between attempts to reestablish a dropped session.
-
-
-
-ADMX Info:
-- GP english name: *Reestablishment Interval*
-- GP name: *Streaming_Reestablishment_Interval*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingAllowReestablishmentRetries**
-
-
-Specifies the number of times to retry a dropped session.
-
-
-
-ADMX Info:
-- GP english name: *Reestablishment Retries*
-- GP name: *Streaming_Reestablishment_Retries*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingSharedContentStoreMode**
-
-
-Specifies that streamed package contents will be not be saved to the local hard disk.
-
-
-
-ADMX Info:
-- GP english name: *Shared Content Store (SCS) mode*
-- GP name: *Streaming_Shared_Content_Store_Mode*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingSupportBranchCache**
-
-
-If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
-
-
-
-ADMX Info:
-- GP english name: *Enable Support for BranchCache*
-- GP name: *Streaming_Support_Branch_Cache*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/StreamingVerifyCertificateRevocationList**
-
-
-Verifies Server certificate revocation status before streaming using HTTPS.
-
-
-
-ADMX Info:
-- GP english name: *Verify certificate revocation list*
-- GP name: *Streaming_Verify_Certificate_Revocation_List*
-- GP path: *System/App-V/Streaming*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**AppVirtualization/VirtualComponentsAllowList**
-
-
-Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
-
-
-
-ADMX Info:
-- GP english name: *Virtual Component Process Allow List*
-- GP name: *Virtualization_JITVAllowList*
-- GP path: *System/App-V/Virtualization*
-- GP ADMX file name: *appv.admx*
-
-
-
-
-**ApplicationDefaults/DefaultAssociationsConfiguration**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
-
-
If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
-
-
To create create the SyncML, follow these steps:
-
-- Install a few apps and change your defaults.
-- From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
-- Take the XML output and put it through your favorite base64 encoder app.
-- Paste the base64 encoded XML into the SyncML
-
-
-Here is an example output from the dism default association export command:
-
-``` syntax
-
-
-
-
-
-
-
-Here is the base64 encoded result:
-
-``` syntax
-PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
-```
-
-
Here is the SyncMl example:
-
-``` syntax
-
-
-
-
- 101
- -
-
- chr
- text/plain
-
-
- ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration
-
- PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
-
-
-
-
-
-
-```
-
-
-
-
-**ApplicationManagement/AllowAllTrustedApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether non Windows Store apps are allowed.
-
-
The following list shows the supported values:
-
-- 0 – Explicit deny.
-- 1 – Explicit allow unlock.
-- 65535 (default) – Not configured.
-
-
Most restricted value is 0.
-
-
-
-
-**ApplicationManagement/AllowAppStoreAutoUpdate**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether automatic update of apps from Windows Store are allowed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**ApplicationManagement/AllowDeveloperUnlock**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether developer unlock is allowed.
-
-
The following list shows the supported values:
-
-- 0 – Explicit deny.
-- 1 – Explicit allow unlock.
-- 65535 (default) – Not configured.
-
-
Most restricted value is 0.
-
-
-
-
-**ApplicationManagement/AllowGameDVR**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-Specifies whether DVR and broadcasting is allowed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**ApplicationManagement/AllowSharedUserAppData**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether multiple users of the same app can share data.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**ApplicationManagement/AllowStore**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether app store is allowed at the device.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**ApplicationManagement/ApplicationRestrictions**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
-
-
-An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md).
-
-> [!NOTE]
-> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
->
-> Here's additional guidance for the upgrade process:
->
-> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
-> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
-> - In the SyncML, you must use lowercase product ID.
-> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
-> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
-
-
-
An application that is running may not be immediately terminated.
-
-
Value type is chr.
-
-
Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
-
-
-
-
-**ApplicationManagement/DisableStoreOriginatedApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.
-
-
The following list shows the supported values:
-
-- 0 (default) – Enable launch of apps.
-- 1 – Disable launch of apps.
-
-
-
-
-**ApplicationManagement/RequirePrivateStoreOnly**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows disabling of the retail catalog and only enables the Private store.
-
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> - **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy.
-> - **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result.
-
-
-
The following list shows the supported values:
-
-- 0 (default) – Allow both public and Private store.
-- 1 – Only Private store is enabled.
-
-
This is a per user policy.
-
-
Most restricted value is 1.
-
-
-
-
-**ApplicationManagement/RestrictAppDataToSystemVolume**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether application data is restricted to the system drive.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not restricted.
-- 1 – Restricted.
-
-
Most restricted value is 1.
-
-
-
-
-**ApplicationManagement/RestrictAppToSystemVolume**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether the installation of applications is restricted to the system drive.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not restricted.
-- 1 – Restricted.
-
-
Most restricted value is 1.
-
-
-
-
-**AttachmentManager/DoNotPreserveZoneInformation**
-
-
-This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
-
-If you enable this policy setting, Windows does not mark file attachments with their zone information.
-
-If you disable this policy setting, Windows marks file attachments with their zone information.
-
-If you do not configure this policy setting, Windows marks file attachments with their zone information.
-
-
-
-ADMX Info:
-- GP english name: *Do not preserve zone information in file attachments*
-- GP name: *AM_MarkZoneOnSavedAtttachments*
-- GP path: *Windows Components/Attachment Manager*
-- GP ADMX file name: *AttachmentManager.admx*
-
-
-
-
-**AttachmentManager/HideZoneInfoMechanism**
-
-
-This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
-
-If you enable this policy setting, Windows hides the check box and Unblock button.
-
-If you disable this policy setting, Windows shows the check box and Unblock button.
-
-If you do not configure this policy setting, Windows hides the check box and Unblock button.
-
-
-
-ADMX Info:
-- GP english name: *Hide mechanisms to remove zone information*
-- GP name: *AM_RemoveZoneInfo*
-- GP path: *Windows Components/Attachment Manager*
-- GP ADMX file name: *AttachmentManager.admx*
-
-
-
-
-**AttachmentManager/NotifyAntivirusPrograms**
-
-
-This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
-
-If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
-
-If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
-
-If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
-
-
-
-ADMX Info:
-- GP english name: *Notify antivirus programs when opening attachments*
-- GP name: *AM_CallIOfficeAntiVirus*
-- GP path: *Windows Components/Attachment Manager*
-- GP ADMX file name: *AttachmentManager.admx*
-
-
-
-
-**Authentication/AllowEAPCertSSO**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
-
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> - **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result.
-
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Authentication/AllowFastReconnect**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Authentication/AllowSecondaryAuthenticationDevice**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 – Allowed.
-
-
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
-
-
-
-
-**Autoplay/DisallowAutoplayForNonVolumeDevices**
-
-
-This policy setting disallows AutoPlay for MTP devices like cameras or phones.
-
-If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
-
-If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
-
-
-
-ADMX Info:
-- GP english name: *Disallow Autoplay for non-volume devices*
-- GP name: *NoAutoplayfornonVolume*
-- GP path: *Windows Components/AutoPlay Policies*
-- GP ADMX file name: *AutoPlay.admx*
-
-
-
-
-**Autoplay/SetDefaultAutoRunBehavior**
-
-
-This policy setting sets the default behavior for Autorun commands.
-
-Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
-
-Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.
-
-This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.
-
-If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:
-
-a) Completely disable autorun commands, or
-b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.
-
-If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
-
-
-
-ADMX Info:
-- GP english name: *Set the default behavior for AutoRun*
-- GP name: *NoAutorun*
-- GP path: *Windows Components/AutoPlay Policies*
-- GP ADMX file name: *AutoPlay.admx*
-
-
-
-
-**Autoplay/TurnOffAutoPlay**
-
-
-This policy setting allows you to turn off the Autoplay feature.
-
-Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
-
-Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.
-
-Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.
-
-If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
-
-This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.
-
-If you disable or do not configure this policy setting, AutoPlay is enabled.
-
-Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
-
-
-
-ADMX Info:
-- GP english name: *Turn off Autoplay*
-- GP name: *Autorun*
-- GP path: *Windows Components/AutoPlay Policies*
-- GP ADMX file name: *AutoPlay.admx*
-
-
-
-
-**Bitlocker/EncryptionMethod**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies the BitLocker Drive Encryption method and cipher strength.
-
-> [!NOTE]
-> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop.
-
-
The following list shows the supported values:
-
-- 3 - AES-CBC 128-bit
-- 4 - AES-CBC 256-bit
-- 6 - XTS-AES 128-bit (Desktop only)
-- 7 - XTS-AES 256-bit (Desktop only)
-
-
-
-
-**Bluetooth/AllowAdvertising**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether the device can send out Bluetooth advertisements.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral.
-- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.
-
-
If this is not set or it is deleted, the default value of 1 (Allow) is used.
-
-
Most restricted value is 0.
-
-
-
-
-**Bluetooth/AllowDiscoverableMode**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether other Bluetooth-enabled devices can discover the device.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device.
-- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.
-
-
If this is not set or it is deleted, the default value of 1 (Allow) is used.
-
-
Most restricted value is 0.
-
-
-
-
-**Bluetooth/AllowPrepairing**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default)– Allowed.
-
-
-
-
-**Bluetooth/LocalDeviceName**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Sets the local Bluetooth device name.
-
-
If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
-
-
If this policy is not set or it is deleted, the default local radio name is used.
-
-
-
-
-**Bluetooth/ServicesAllowedList**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
-
-
The default value is an empty string.
-
-
-
-
-**Browser/AllowAddressBarDropdown**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.
-
-> [!NOTE]
-> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."
-- 1 (default) – Allowed. Address bar drop-down is enabled.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/AllowAutofill**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether autofill on websites is allowed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
To verify AllowAutofill is set to 0 (not allowed):
-
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Save form entries** is greyed out.
-
-
-
-
-**Browser/AllowBrowser**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
-
-
-Specifies whether the browser is allowed on the device.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
-
-
-
-
-**Browser/AllowCookies**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether cookies are allowed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
To verify AllowCookies is set to 0 (not allowed):
-
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Cookies** is greyed out.
-
-
-
-
-**Browser/AllowDeveloperTools**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/AllowDoNotTrack**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether Do Not Track headers are allowed.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
-
-
Most restricted value is 1.
-
-
To verify AllowDoNotTrack is set to 0 (not allowed):
-
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Send Do Not Track requests** is greyed out.
-
-
-
-
-**Browser/AllowExtensions**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Browser/AllowFlash**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Browser/AllowFlashClickToRun**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
-
-
The following list shows the supported values:
-
-- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge.
-- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
-
-
-
-
-**Browser/AllowInPrivate**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether InPrivate browsing is allowed on corporate networks.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/AllowMicrosoftCompatibilityList**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly.
-By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat".
-
-
If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation.
-
-
The following list shows the supported values:
-
-- 0 – Not enabled.
-- 1 (default) – Enabled.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/AllowPasswordManager**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether saving and managing passwords locally on the device is allowed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
To verify AllowPasswordManager is set to 0 (not allowed):
-
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
-
-
-
-
-**Browser/AllowPopups**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether pop-up blocker is allowed or enabled.
-
-
The following list shows the supported values:
-
-- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed.
-- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked.
-
-
Most restricted value is 1.
-
-
To verify AllowPopups is set to 0 (not allowed):
-
-1. Open Microsoft Edge.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Block pop-ups** is greyed out.
-
-
-
-
-**Browser/AllowSearchEngineCustomization**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.
-
-
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/AllowSearchSuggestionsinAddressBar**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether search suggestions are allowed in the address bar.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/AllowSmartScreen**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether Windows Defender SmartScreen is allowed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 1.
-
-
To verify AllowSmartScreen is set to 0 (not allowed):
-
-1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
-2. In the upper-right corner of the browser, click **…**.
-3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
-4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
-
-
-
-
-**Browser/ClearBrowsingDataOnExit**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
-
-
The following list shows the supported values:
-
-- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
-- 1 – Browsing data is cleared on exit.
-
-
Most restricted value is 1.
-
-
To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
-
-1. Open Microsoft Edge and browse to websites.
-2. Close the Microsoft Edge window.
-3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history.
-
-
-
-
-**Browser/ConfigureAdditionalSearchEngines**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.
-
-
If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
-Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.
-
-
If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine.
-
-> [!IMPORTANT]
-> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.
-
-
The following list shows the supported values:
-
-- 0 (default) – Additional search engines are not allowed.
-- 1 – Additional search engines are allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/DisableLockdownOfStartPages**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.
-
-> [!NOTE]
-> This policy has no effect when the Browser/HomePages policy is not configured.
-
-> [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
-
The following list shows the supported values:
-
-- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
-- 1 – Disable lockdown of the Start pages and allow users to modify them.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/EnterpriseModeSiteList**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Allows the user to specify an URL of an enterprise site list.
-
-
The following list shows the supported values:
-
-- Not configured. The device checks for updates from Microsoft Update.
-- Set to a URL location of the enterprise site list.
-
-
-
-
-**Browser/EnterpriseSiteListServiceUrl**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!IMPORTANT]
-> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
-
-
-
-
-**Browser/FirstRunURL**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time.
-
-
The data type is a string.
-
-
The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”.
-
-
-
-
-**Browser/HomePages**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>"
-
-
Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users.
-
-
Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.
-
-> [!NOTE]
-> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
-
-
-
-
-**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
-
-
The following list shows the supported values:
-
-- 0 (default) – Users can access the about:flags page in Microsoft Edge.
-- 1 – Users can't access the about:flags page in Microsoft Edge.
-
-
-
-
-**Browser/PreventFirstRunPage**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
-
-
The following list shows the supported values:
-
-- 0 (default) – Employees see the First Run webpage.
-- 1 – Employees don't see the First Run webpage.
-
-
Most restricted value is 1.
-
-
-
-
-**Browser/PreventLiveTileDataCollection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
-
-
The following list shows the supported values:
-
-- 0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
-- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
-
-
Most restricted value is 1.
-
-
-
-
-**Browser/PreventSmartScreenPromptOverride**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
-
-
The following list shows the supported values:
-
-- 0 (default) – Off.
-- 1 – On.
-
-
Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
-
-
-
-
-**Browser/PreventSmartScreenPromptOverrideForFiles**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
-
-
The following list shows the supported values:
-
-- 0 (default) – Off.
-- 1 – On.
-
-
-
-
-**Browser/PreventUsingLocalHostIPAddressForWebRTC**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an
user’s localhost IP address while making phone calls using WebRTC.
-
-
The following list shows the supported values:
-
-- 0 (default) – The localhost IP address is shown.
-- 1 – The localhost IP address is hidden.
-
-
-
-
-**Browser/SendIntranetTraffictoInternetExplorer**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Specifies whether to send intranet traffic over to Internet Explorer.
-
-
The following list shows the supported values:
-
-- 0 (default) – Intranet traffic is sent to Internet Explorer.
-- 1 – Intranet traffic is sent to Microsoft Edge.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/SetDefaultSearchEngine**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
-
-
You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.
-
-
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
-
-> [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
-
-
The following list shows the supported values:
-
-- 0 (default) - The default search engine is set to the one specified in App settings.
-- 1 - Allows you to configure the default search engine for your employees.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
-
-
The following list shows the supported values:
-
-- 0 (default) – Interstitial pages are not shown.
-- 1 – Interstitial pages are shown.
-
-
Most restricted value is 0.
-
-
-
-
-**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
->
-> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices.
-
-
The following list shows the supported values:
-
-- 0 (default) – Synchronization is off.
-- 1 – Synchronization is on.
-
-
To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
-
-
-- Open Internet Explorer and add some favorites.
-
- Open Microsoft Edge, then select Hub > Favorites.
-
- Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
-
-
-
-
-
-**Camera/AllowCamera**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Disables or enables the camera.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Connectivity/AllowBluetooth**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows the user to enable Bluetooth or restrict access.
-
-
The following list shows the supported values:
-
-- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
-- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
-
-> [!NOTE]
-> This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.
-
-- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
-
-
If this is not set or it is deleted, the default value of 2 (Allow) is used.
-
-
Most restricted value is 0.
-
-
-
-
-**Connectivity/AllowCellularData**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
-
-
The following list shows the supported values:
-
-- 0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511.
-- 1 (default) – Allow the cellular data channel. The user can turn it off.
-- 2 - Allow the cellular data channel. The user cannot turn it off.
-
-
-
-
-**Connectivity/AllowCellularDataRoaming**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
-
-
The following list shows the supported values:
-
-- 0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511.
-- 1 (default) – Allow cellular data roaming.
-- 2 - Allow cellular data roaming on. The user cannot turn it off.
-
-
Most restricted value is 0.
-
-
To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
-
-
To validate on mobile devices, do the following:
-
-1. Go to Cellular & SIM.
-2. Click on the SIM (next to the signal strength icon) and select **Properties**.
-3. On the Properties page, select **Data roaming options**.
-
-
-
-
-**Connectivity/AllowConnectedDevices**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
-
-
The following list shows the supported values:
-
-- 1 (default) - Allow (CDP service available).
-- 0 - Disable (CDP service not available).
-
-
-
-
-**Connectivity/AllowNFC**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Allows or disallows near field communication (NFC) on the device.
-
-
The following list shows the supported values:
-
-- 0 – Do not allow NFC capabilities.
-- 1 (default) – Allow NFC capabilities.
-
-
Most restricted value is 0.
-
-
-
-
-**Connectivity/AllowUSBConnection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
-
-
Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Connectivity/AllowVPNOverCellular**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies what type of underlying connections VPN is allowed to use.
-
-
The following list shows the supported values:
-
-- 0 – VPN is not allowed over cellular.
-- 1 (default) – VPN can use any connection, including cellular.
-
-
Most restricted value is 0.
-
-
-
-
-**Connectivity/AllowVPNRoamingOverCellular**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Prevents the device from connecting to VPN when the device roams over cellular networks.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Connectivity/HardenedUNCPaths**
-
-
-This policy setting configures secure access to UNC paths.
-
-If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
-
-
-
-ADMX Info:
-- GP english name: *Hardened UNC Paths*
-- GP name: *Pol_HardenedPaths*
-- GP path: *Network/Network Provider*
-- GP ADMX file name: *networkprovider.admx*
-
-
-
-
-**CredentialProviders/AllowPINLogon**
-
-
-This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
-
-If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
-
-If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
-
-Note: The user's domain password will be cached in the system vault when using this feature.
-
-To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
-
-
-
-ADMX Info:
-- GP english name: *Turn on convenience PIN sign-in*
-- GP name: *AllowDomainPINLogon*
-- GP path: *System/Logon*
-- GP ADMX file name: *credentialproviders.admx*
-
-
-
-
-**CredentialProviders/BlockPicturePassword**
-
-
-This policy setting allows you to control whether a domain user can sign in using a picture password.
-
-If you enable this policy setting, a domain user can't set up or sign in with a picture password.
-
-If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
-
-Note that the user's domain password will be cached in the system vault when using this feature.
-
-
-
-ADMX Info:
-- GP english name: *Turn off picture password sign-in*
-- GP name: *BlockDomainPicturePassword*
-- GP path: *System/Logon*
-- GP ADMX file name: *credentialproviders.admx*
-
-
-
-
-**CredentialProviders/EnableWindowsAutoPilotResetCredentials**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 3 |
- 3 |
- 3 |
- 3 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
-
-The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
-
-Default value is 0.
-
-
-
-
-**CredentialsUI/DisablePasswordReveal**
-
-
-This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
-
-If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
-
-If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
-
-By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
-
-The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
-
-
-
-ADMX Info:
-- GP english name: *Do not display the password reveal button*
-- GP name: *DisablePasswordReveal*
-- GP path: *Windows Components/Credential User Interface*
-- GP ADMX file name: *credui.admx*
-
-
-
-
-**CredentialsUI/EnumerateAdministrators**
-
-
-This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
-
-If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
-
-If you disable this policy setting, users will always be required to type a user name and password to elevate.
-
-
-
-ADMX Info:
-- GP english name: *Enumerate administrator accounts on elevation*
-- GP name: *EnumerateAdministrators*
-- GP path: *Windows Components/Credential User Interface*
-- GP ADMX file name: *credui.admx*
-
-
-
-
-**Cryptography/AllowFipsAlgorithmPolicy**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows or disallows the Federal Information Processing Standard (FIPS) policy.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1– Allowed.
-
-
-
-
-**Cryptography/TLSCipherSuites**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
-
-
-
-
-**DataProtection/AllowDirectMemoryAccess**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**DataProtection/LegacySelectiveWipeID**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!IMPORTANT]
-> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
-
-
-Setting used by Windows 8.1 Selective Wipe.
-
-> [!NOTE]
-> This policy is not recommended for use in Windows 10.
-
-
-
-
-**DataUsage/SetCost3G**
-
-
-This policy setting configures the cost of 3G connections on the local machine.
-
-If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
-
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
-
-- Variable: This connection is costed on a per byte basis.
-
-If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
-
-
-
-ADMX Info:
-- GP english name: *Set 3G Cost*
-- GP name: *SetCost3G*
-- GP path: *Network/WWAN Service/WWAN Media Cost*
-- GP ADMX file name: *wwansvc.admx*
-
-
-
-
-**DataUsage/SetCost4G**
-
-
-This policy setting configures the cost of 4G connections on the local machine.
-
-If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
-
-- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
-
-- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
-
-- Variable: This connection is costed on a per byte basis.
-
-If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
-
-
-
-ADMX Info:
-- GP english name: *Set 4G Cost*
-- GP name: *SetCost4G*
-- GP path: *Network/WWAN Service/WWAN Media Cost*
-- GP ADMX file name: *wwansvc.admx*
-
-
-
-
-**Defender/AllowArchiveScanning**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows scanning of archives.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowBehaviorMonitoring**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows Windows Defender Behavior Monitoring functionality.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowCloudProtection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowEmailScanning**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows scanning of email.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
-
-
-
-
-**Defender/AllowFullScanOnMappedNetworkDrives**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows a full scan of mapped network drives.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
-
-
-
-
-**Defender/AllowFullScanRemovableDriveScanning**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows a full scan of removable drives.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowIOAVProtection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows Windows Defender IOAVP Protection functionality.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowIntrusionPreventionSystem**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows Windows Defender Intrusion Prevention functionality.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowOnAccessProtection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows Windows Defender On Access Protection functionality.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowRealtimeMonitoring**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows Windows Defender Realtime Monitoring functionality.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowScanningNetworkFiles**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows a scanning of network files.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowScriptScanning**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows Windows Defender Script Scanning functionality.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AllowUserUIAccess**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Defender/AvgCPULoadFactor**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Represents the average CPU load factor for the Windows Defender scan (in percent).
-
-
Valid values: 0–100
-
-
The default value is 50.
-
-
-
-
-**Defender/DaysToRetainCleanedMalware**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Time period (in days) that quarantine items will be stored on the system.
-
-
Valid values: 0–90
-
-
The default value is 0, which keeps items in quarantine, and does not automatically remove them.
-
-
-
-
-**Defender/ExcludedExtensions**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-llows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
-
-
-
-
-**Defender/ExcludedPaths**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
-
-
-
-
-**Defender/ExcludedProcesses**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows an administrator to specify a list of files opened by processes to ignore during a scan.
-
-> [!IMPORTANT]
-> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path.
-
-
-
Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
-
-
-
-
-**Defender/PUAProtection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
-
-
The following list shows the supported values:
-
-- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
-- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
-- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
-
-
-
-
-**Defender/RealTimeScanDirection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Controls which sets of files should be monitored.
-
-> [!NOTE]
-> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files.
-
-
-
The following list shows the supported values:
-
-- 0 (default) – Monitor all files (bi-directional).
-- 1 – Monitor incoming files.
-- 2 – Monitor outgoing files.
-
-
-
-
-**Defender/ScanParameter**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Selects whether to perform a quick scan or full scan.
-
-
The following list shows the supported values:
-
-- 1 (default) – Quick scan
-- 2 – Full scan
-
-
-
-
-**Defender/ScheduleQuickScanTime**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Selects the time of day that the Windows Defender quick scan should run.
-
-> [!NOTE]
-> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
-
-
Valid values: 0–1380
-
-
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
-
The default value is 120
-
-
-
-
-**Defender/ScheduleScanDay**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Selects the day that the Windows Defender scan should run.
-
-> [!NOTE]
-> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
-
-
The following list shows the supported values:
-
-- 0 (default) – Every day
-- 1 – Monday
-- 2 – Tuesday
-- 3 – Wednesday
-- 4 – Thursday
-- 5 – Friday
-- 6 – Saturday
-- 7 – Sunday
-- 8 – No scheduled scan
-
-
-
-
-**Defender/ScheduleScanTime**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Selects the time of day that the Windows Defender scan should run.
-
-> [!NOTE]
-> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
-
-
Valid values: 0–1380.
-
-
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
-
The default value is 120.
-
-
-
-
-**Defender/SignatureUpdateInterval**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.
-
-
Valid values: 0–24.
-
-
A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.
-
-
The default value is 8.
-
-
-
-
-**Defender/SubmitSamplesConsent**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
-
-
The following list shows the supported values:
-
-- 0 – Always prompt.
-- 1 (default) – Send safe samples automatically.
-- 2 – Never send.
-- 3 – Send all samples automatically.
-
-
-
-
-**Defender/ThreatSeverityDefaultAction**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
-
-
This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
-
-
The following list shows the supported values for threat severity levels:
-
-- 1 – Low severity threats
-- 2 – Moderate severity threats
-- 4 – High severity threats
-- 5 – Severe threats
-
-
The following list shows the supported values for possible actions:
-
-- 1 – Clean
-- 2 – Quarantine
-- 3 – Remove
-- 6 – Allow
-- 8 – User defined
-- 10 – Block
-
-
-
-
-**DeliveryOptimization/DOAbsoluteMaxCacheSize**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
-
-
The default value is 10.
-
-
-
-
-**DeliveryOptimization/DOAllowVPNPeerCaching**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
-
-
The default value is 0 (FALSE).
-
-
-
-
-**DeliveryOptimization/DODownloadMode**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
-
-
The following list shows the supported values:
-
-- 0 –HTTP only, no peering.
-- 1 (default) – HTTP blended with peering behind the same NAT.
-- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
-- 3 – HTTP blended with Internet peering.
-- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
-- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
-
-
-
-
-**DeliveryOptimization/DOGroupId**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
-
-> [!NOTE]
-> You must use a GUID as the group ID.
-
-
-
-
-**DeliveryOptimization/DOMaxCacheAge**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
-
-
The default value is 259200 seconds (3 days).
-
-
-
-
-**DeliveryOptimization/DOMaxCacheSize**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
-
-
The default value is 20.
-
-
-
-
-**DeliveryOptimization/DOMaxDownloadBandwidth**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
-
-
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
-
-
-
-
-**DeliveryOptimization/DOMaxUploadBandwidth**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
-
-
The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
-
-
-
-
-**DeliveryOptimization/DOMinBackgroundQos**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
-
-
The default value is 500.
-
-
-
-
-**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
-
-
The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
-
-
-
-
-**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
-
-> [!NOTE]
-> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
-
-
The default value is 32 GB.
-
-
-
-
-**DeliveryOptimization/DOMinFileSizeToCache**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
-
-
The default value is 100 MB.
-
-
-
-
-**DeliveryOptimization/DOMinRAMAllowedToPeer**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
-
-
The default value is 4 GB.
-
-
-
-
-**DeliveryOptimization/DOModifyCacheDrive**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
-
-
By default, %SystemDrive% is used to store the cache.
-
-
-
-
-**DeliveryOptimization/DOMonthlyUploadDataCap**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
-
-
The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
-
-
The default value is 20.
-
-
-
-
-**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
-
-
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
-
-
-
-
-**Desktop/PreventUserRedirectionOfProfileFolders**
-
-
-Prevents users from changing the path to their profile folders.
-
-By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
-
-If you enable this setting, users are unable to type a new location in the Target box.
-
-
-
-ADMX Info:
-- GP english name: *Prohibit User from manually redirecting Profile Folders*
-- GP name: *DisablePersonalDirChange*
-- GP path: *Desktop*
-- GP ADMX file name: *desktop.admx*
-
-
-
-
-
-**DeviceGuard/EnableVirtualizationBasedSecurity**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- 3 |
- 3 |
- |
- |
-
-
-
-
-
-
-Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values:
-
-- 0 (default) - disable virtualization based security
-- 1 - enable virtualization based security
-
-
-
-
-
-
-**DeviceGuard/RequirePlatformSecurityFeatures**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- 3 |
- 3 |
- |
- |
-
-
-
-
-Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values:
-
-- 1 (default) - Turns on VBS with Secure Boot.
-- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
-
-
-
-
-
-
-
-
-**DeviceGuard/LsaCfgFlags**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- 3 |
- 3 |
- |
- |
-
-
-
-
-
-
-Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values:
-
-- 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock
-- 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock
-- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock
-
-
-
-
-
-
-
-**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**
-
-
-This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
-
-If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-
-If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
-
-
-
-ADMX Info:
-- GP english name: *Prevent installation of devices that match any of these device IDs*
-- GP name: *DeviceInstall_IDs_Deny*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
-
-
-
-
-**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
-
-
-This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
-
-If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
-
-If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
-
-
-
-ADMX Info:
-- GP english name: *Prevent installation of devices using drivers that match these device setup classes*
-- GP name: *DeviceInstall_Classes_Deny*
-- GP path: *System/Device Installation/Device Installation Restrictions*
-- GP ADMX file name: *deviceinstallation.admx*
-
-
-
-
-**DeviceLock/AllowIdleReturnWithoutPassword**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Specifies whether the user must input a PIN or password when the device resumes from an idle state.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-
The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
-
-> [!IMPORTANT]
-> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period.
-
-
-
-
-**DeviceLock/AllowSimpleDevicePassword**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
-
-**DeviceLock/AlphanumericDevicePasswordRequired**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education).
-
-
-
The following list shows the supported values:
-
-- 0 – Alphanumeric PIN or password required.
-- 1 – Numeric PIN or password required.
-- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
-
-> [!NOTE]
-> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
->
-> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
-
-
-
-
-
-
-**DeviceLock/DevicePasswordEnabled**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether device lock is enabled.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
-
-
The following list shows the supported values:
-
-- 0 (default) – Enabled
-- 1 – Disabled
-
-> [!IMPORTANT]
-> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
->
-> - AllowSimpleDevicePassword
-> - MinDevicePasswordLength
-> - AlphanumericDevicePasswordRequired
-> - MaxDevicePasswordFailedAttempts
-> - MaxInactivityTimeDeviceLock
-> - MinDevicePasswordComplexCharacters
-
-
-> [!IMPORTANT]
-> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set:
->
-> - MinDevicePasswordLength is set to 4
-> - MinDevicePasswordComplexCharacters is set to 1
->
-> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
->
-> - MinDevicePasswordLength
-> - MinDevicePasswordComplexCharacters
-
-> [!Important]
-> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
-> - **DevicePasswordEnabled** is the parent policy of the following:
-> - AllowSimpleDevicePassword
-> - MinDevicePasswordLength
-> - AlphanumericDevicePasswordRequired
-> - MinDevicePasswordComplexCharacters
-> - DevicePasswordExpiration
-> - DevicePasswordHistory
-> - MaxDevicePasswordFailedAttempts
-> - MaxInactivityTimeDeviceLock
-
-
-
-
-**DeviceLock/DevicePasswordExpiration**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies when the password expires (in days).
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-
The following list shows the supported values:
-
-- An integer X where 0 <= X <= 730.
-- 0 (default) - Passwords do not expire.
-
-
If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
-
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
-
-**DeviceLock/DevicePasswordHistory**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies how many passwords can be stored in the history that can’t be used.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-
The following list shows the supported values:
-
-- An integer X where 0 <= X <= 50.
-- 0 (default)
-
-
The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
-
-
Max policy value is the most restricted.
-
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
-
-**DeviceLock/EnforceLockScreenAndLogonImage**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
-
-
-
Value type is a string, which is the full image filepath and filename.
-
-
-
-
-**DeviceLock/EnforceLockScreenProvider**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for mobile devices.
-
-
-
Value type is a string, which is the AppID.
-
-
-
-
-**DeviceLock/MaxDevicePasswordFailedAttempts**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-This policy has different behaviors on the mobile device and desktop.
-
-- On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
-- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
-
- Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
-
-
The following list shows the supported values:
-
-- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices.
-- 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
-
-
Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
-
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
-
-**DeviceLock/MaxInactivityTimeDeviceLock**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-
The following list shows the supported values:
-
-- An integer X where 0 <= X <= 999.
-- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
-
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
-
-
-
-
-**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- 2 |
- 2 |
-
-
-
-
-
-Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
-
The following list shows the supported values:
-
-- An integer X where 0 <= X <= 999.
-- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
-
-
-
-
-**DeviceLock/MinDevicePasswordComplexCharacters**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
-
PIN enforces the following behavior for desktop and mobile devices:
-
-- 1 - Digits only
-- 2 - Digits and lowercase letters are required
-- 3 - Digits, lowercase letters, and uppercase letters are required
-- 4 - Digits, lowercase letters, uppercase letters, and special characters are required
-
-
The default value is 1. The following list shows the supported values and actual enforced values:
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mobile |
-1,2,3,4 |
-Same as the value set |
-
-
-Desktop Local Accounts |
- 1,2,3 |
-3 |
-
-
-Desktop Microsoft Accounts |
-1,2 |
- |
-
-
-Desktop Domain Accounts |
-Not supported |
-Not supported |
-
-
-
-
-
-Enforced values for Local and Microsoft Accounts:
-
-- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
-- Passwords for local accounts must meet the following minimum requirements:
-
- - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- - Be at least six characters in length
- - Contain characters from three of the following four categories:
-
- - English uppercase characters (A through Z)
- - English lowercase characters (a through z)
- - Base 10 digits (0 through 9)
- - Special characters (!, $, \#, %, etc.)
-
-
The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
-
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-
-
-
-**DeviceLock/MinDevicePasswordLength**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies the minimum number or characters required in the PIN or password.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
->
-> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
-
-
-
The following list shows the supported values:
-
-- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6.
-- Not enforced.
-- The default value is 4 for mobile devices and desktop devices.
-
-
Max policy value is the most restricted.
-
-
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
-
-
-
-
-**DeviceLock/PreventLockScreenSlideShow**
-
-
-Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
-
-By default, users can enable a slide show that will run after they lock the machine.
-
-If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
-
-
-
-ADMX Info:
-- GP english name: *Prevent enabling lock screen slide show*
-- GP name: *CPL_Personalization_NoLockScreenSlideshow*
-- GP path: *Control Panel/Personalization*
-- GP ADMX file name: *ControlPanelDisplay.admx*
-
-
-
-
-**DeviceLock/ScreenTimeoutWhileLocked**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
-
-
Minimum supported value is 10.
-
-
Maximum supported value is 1800.
-
-
The default value is 10.
-
-
Most restricted value is 0.
-
-
-
-
-**Display/TurnOffGdiDPIScalingForApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
-
-
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
-
-
If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-
-
If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
-
-
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
-
-
To validate on Desktop, do the following:
-
-1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
-2. Run the app and observe blurry text.
-
-
-
-
-**Display/TurnOnGdiDPIScalingForApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
-
-
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
-
-
If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
-
-
If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
-
-
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
-
-
To validate on Desktop, do the following:
-
-1. Configure the setting for an app which uses GDI.
-2. Run the app and observe crisp text.
-
-
-
-
-**EnterpriseCloudPrint/CloudPrintOAuthAuthority**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.
-
-
The datatype is a string.
-
-
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs".
-
-
-
-
-**EnterpriseCloudPrint/CloudPrintOAuthClientId**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.
-
-
The datatype is a string.
-
-
The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
-
-
-
-
-**EnterpriseCloudPrint/CloudPrintResourceId**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.
-
-
The datatype is a string.
-
-
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint".
-
-
-
-
-**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.
-
-
The datatype is a string.
-
-
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com".
-
-
-
-
-**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.
-
-
The datatype is an integer.
-
-
For Windows Mobile, the default value is 20.
-
-
-
-
-**EnterpriseCloudPrint/MopriaDiscoveryResourceId**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.
-
-
The datatype is a string.
-
-
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint".
-
-
-
-
-**ErrorReporting/CustomizeConsentSettings**
-
-
-This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
-
-If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
-
-- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
-
-- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
-
-- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
-
-- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
-
-- 4 (Send all data): Any data requested by Microsoft is sent automatically.
-
-If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
-
-
-
-ADMX Info:
-- GP english name: *Customize consent settings*
-- GP name: *WerConsentCustomize_2*
-- GP path: *Windows Components/Windows Error Reporting/Consent*
-- GP ADMX file name: *ErrorReporting.admx*
-
-
-
-
-**ErrorReporting/DisableWindowsErrorReporting**
-
-
-This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
-
-If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
-
-If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
-
-
-
-ADMX Info:
-- GP english name: *Disable Windows Error Reporting*
-- GP name: *WerDisable_2*
-- GP path: *Windows Components/Windows Error Reporting*
-- GP ADMX file name: *ErrorReporting.admx*
-
-
-
-
-**ErrorReporting/DisplayErrorNotification**
-
-
-This policy setting controls whether users are shown an error dialog box that lets them report an error.
-
-If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
-
-If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.
-
-If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
-
-See also the Configure Error Reporting policy setting.
-
-
-
-ADMX Info:
-- GP english name: *Display Error Notification*
-- GP name: *PCH_ShowUI*
-- GP path: *Windows Components/Windows Error Reporting*
-- GP ADMX file name: *ErrorReporting.admx*
-
-
-
-
-**ErrorReporting/DoNotSendAdditionalData**
-
-
-This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
-
-If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
-
-If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
-
-
-
-ADMX Info:
-- GP english name: *Do not send additional data*
-- GP name: *WerNoSecondLevelData_2*
-- GP path: *Windows Components/Windows Error Reporting*
-- GP ADMX file name: *ErrorReporting.admx*
-
-
-
-
-**ErrorReporting/PreventCriticalErrorDisplay**
-
-
-This policy setting prevents the display of the user interface for critical errors.
-
-If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
-
-If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
-
-
-
-ADMX Info:
-- GP english name: *Prevent display of the user interface for critical errors*
-- GP name: *WerDoNotShowUI*
-- GP path: *Windows Components/Windows Error Reporting*
-- GP ADMX file name: *ErrorReporting.admx*
-
-
-
-
-**EventLogService/ControlEventLogBehavior**
-
-
-This policy setting controls Event Log behavior when the log file reaches its maximum size.
-
-If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
-
-If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
-
-Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
-
-
-
-ADMX Info:
-- GP english name: *Control Event Log behavior when the log file reaches its maximum size*
-- GP name: *Channel_Log_Retention_1*
-- GP path: *Windows Components/Event Log Service/Application*
-- GP ADMX file name: *eventlog.admx*
-
-
-
-
-**EventLogService/SpecifyMaximumFileSizeApplicationLog**
-
-
-This policy setting specifies the maximum size of the log file in kilobytes.
-
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
-
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
-
-
-ADMX Info:
-- GP english name: *Specify the maximum log file size (KB)*
-- GP name: *Channel_LogMaxSize_1*
-- GP path: *Windows Components/Event Log Service/Application*
-- GP ADMX file name: *eventlog.admx*
-
-
-
-
-**EventLogService/SpecifyMaximumFileSizeSecurityLog**
-
-
-This policy setting specifies the maximum size of the log file in kilobytes.
-
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
-
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
-
-
-ADMX Info:
-- GP english name: *Specify the maximum log file size (KB)*
-- GP name: *Channel_LogMaxSize_2*
-- GP path: *Windows Components/Event Log Service/Security*
-- GP ADMX file name: *eventlog.admx*
-
-
-
-
-**EventLogService/SpecifyMaximumFileSizeSystemLog**
-
-
-This policy setting specifies the maximum size of the log file in kilobytes.
-
-If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
-
-If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
-
-
-
-ADMX Info:
-- GP english name: *Specify the maximum log file size (KB)*
-- GP name: *Channel_LogMaxSize_4*
-- GP path: *Windows Components/Event Log Service/System*
-- GP ADMX file name: *eventlog.admx*
-
-
-
-
-**Experience/AllowCopyPaste**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-Specifies whether copy and paste is allowed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowCortana**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
Benefit to the customer:
-
-
Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive.
-
-
Sample scenario:
-
-
An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more.
-
-
-
-
-**Experience/AllowDeviceDiscovery**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows users to turn on/off device discovery UX.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowManualMDMUnenrollment**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether to allow the user to delete the workplace account using the workplace control panel.
-
-> [!NOTE]
-> The MDM server can always remotely delete the account.
-
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Specifies whether to display dialog prompt when no SIM card is detected.
-
-
The following list shows the supported values:
-
-- 0 – SIM card dialog prompt is not displayed.
-- 1 (default) – SIM card dialog prompt is displayed.
-
-
-
-
-**Experience/AllowScreenCapture**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Specifies whether screen capture is allowed.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowSyncMySettings**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
-
-
The following list shows the supported values:
-
-- 0 – Sync settings is not allowed.
-- 1 (default) – Sync settings allowed.
-
-
-
-
-**Experience/AllowTailoredExperiencesWithDiagnosticData**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
-
-
Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
-
-> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowTaskSwitcher**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Allows or disallows task switching on the device.
-
-
The following list shows the supported values:
-
-- 0 – Task switching not allowed.
-- 1 (default) – Task switching allowed.
-
-
-
-
-**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
-
-Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
-
-
The following list shows the supported values:
-
-- 0 – Third-party suggestions not allowed.
-- 1 (default) – Third-party suggestions allowed.
-
-
-
-
-**Experience/AllowVoiceRecording**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Specifies whether voice recording is allowed for apps.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowWindowsConsumerFeatures**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
-
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> - **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result.
-
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowWindowsSpotlight**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-
-
-Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowWindowsSpotlightOnActionCenter**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
-The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Experience/AllowWindowsTips**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Enables or disables Windows Tips / soft landing.
-
-The following list shows the supported values:
-
-- 0 – Disabled.
-- 1 (default) – Enabled.
-
-
-
-
-**Experience/ConfigureWindowsSpotlightOnLockScreen**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
-
-
-Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
-
-
The following list shows the supported values:
-
-- 0 – None.
-- 1 (default) – Windows spotlight enabled.
-- 2 – placeholder only for future extension. Using this value has no effect.
-
-
-
-
-**Experience/DoNotShowFeedbackNotifications**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Prevents devices from showing feedback questions from Microsoft.
-
-
If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
-
-
If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
-
-
The following list shows the supported values:
-
-- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
-- 1 – Feedback notifications are disabled.
-
-
-
-
-**Games/AllowAdvancedGamingServices**
-
-
-
Placeholder only. Currently not supported.
-
-
-
-
-**InternetExplorer/AddSearchProvider**
-
-
-This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
-
-If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
-
-If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
-
-
-
-ADMX Info:
-- GP english name: *Add a specific list of search providers to the user's list of search providers*
-- GP name: *AddSearchProvider*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowActiveXFiltering**
-
-
-This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
-
-If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.
-
-If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
-
-
-
-ADMX Info:
-- GP english name: *Turn on ActiveX Filtering*
-- GP name: *TurnOnActiveXFiltering*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowAddOnList**
-
-
-This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.
-
-This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.
-
-If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
-
-Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
-
-Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
-
-If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
-
-
-
-ADMX Info:
-- GP english name: *Add-on List*
-- GP name: *AddonManagement_AddOnList*
-- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowEnhancedProtectedMode**
-
-
-Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
-
-If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
-
-If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.
-
-If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
-
-
-
-ADMX Info:
-- GP english name: *Turn on Enhanced Protected Mode*
-- GP name: *Advanced_EnableEnhancedProtectedMode*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowEnterpriseModeFromToolsMenu**
-
-
-This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
-
-If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.
-
-If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
-
-
-
-ADMX Info:
-- GP english name: *Let users turn on and use Enterprise Mode from the Tools menu*
-- GP name: *EnterpriseModeEnable*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowEnterpriseModeSiteList**
-
-
-This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.
-
-If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.
-
-If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
-
-
-
-ADMX Info:
-- GP english name: *Use the Enterprise Mode IE website list*
-- GP name: *EnterpriseModeSiteList*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowInternetExplorer7PolicyList **
-
-
-This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.
-
-If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.
-
-If you disable or do not configure this policy setting, the user can add and remove sites from the list.
-
-
-
-ADMX Info:
-- GP english name: *Use Policy List of Internet Explorer 7 sites*
-- GP name: *CompatView_UsePolicyList*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowInternetExplorerStandardsMode**
-
-
-This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
-
-If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.
-
-If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.
-
-If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
-
-
-
-ADMX Info:
-- GP english name: *Turn on Internet Explorer Standards Mode for local intranet*
-- GP name: *CompatView_IntranetSites*
-- GP path: *Windows Components/Internet Explorer/Compatibility View*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowInternetZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Internet Zone Template*
-- GP name: *IZ_PolicyInternetZoneTemplate*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowIntranetZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Intranet Zone Template*
-- GP name: *IZ_PolicyIntranetZoneTemplate*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowLocalMachineZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Local Machine Zone Template*
-- GP name: *IZ_PolicyLocalMachineZoneTemplate*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowLockedDownInternetZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Locked-Down Internet Zone Template*
-- GP name: *IZ_PolicyInternetZoneLockdownTemplate*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowLockedDownIntranetZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Locked-Down Intranet Zone Template*
-- GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Locked-Down Local Machine Zone Template*
-- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Locked-Down Restricted Sites Zone Template*
-- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowOneWordEntry**
-
-
-This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.
-
-If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.
-
-If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
-
-
-
-ADMX Info:
-- GP english name: *Go to an intranet site for a one-word entry in the Address bar*
-- GP name: *UseIntranetSiteForOneWordEntry*
-- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowSiteToZoneAssignmentList**
-
-
-This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
-
-Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
-
-If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
-
-Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
-
-Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
-
-If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
-
-
-
-ADMX Info:
-- GP english name: *Site to Zone Assignment List*
-- GP name: *IZ_Zonemaps*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowSuggestedSites**
-
-
-This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
-
-If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
-
-If you disable this policy setting, the entry points and functionality associated with this feature are turned off.
-
-If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
-
-
-
-ADMX Info:
-- GP english name: *Turn on Suggested Sites*
-- GP name: *EnableSuggestedSites*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowTrustedSitesZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Trusted Sites Zone Template*
-- GP name: *IZ_PolicyTrustedSitesZoneTemplate*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Locked-Down Trusted Sites Zone Template*
-- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/AllowsRestrictedSitesZoneTemplate**
-
-
-This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
-
-If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
-
-If you disable this template policy setting, no security level is configured.
-
-If you do not configure this template policy setting, no security level is configured.
-
-Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
-
-Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
-
-
-
-ADMX Info:
-- GP english name: *Restricted Sites Zone Template*
-- GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableAdobeFlash**
-
-
-This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
-
-If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.
-
-If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.
-
-Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
-
-
-
-ADMX Info:
-- GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
-- GP name: *DisableFlashInIE*
-- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableBypassOfSmartScreenWarnings**
-
-
-This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.
-
-If you enable this policy setting, SmartScreen Filter warnings block the user.
-
-If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
-
-
-
-ADMX Info:
-- GP english name: *Prevent bypassing SmartScreen Filter warnings*
-- GP name: *DisableSafetyFilterOverride*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles**
-
-
-This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.
-
-If you enable this policy setting, SmartScreen Filter warnings block the user.
-
-If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
-
-
-
-ADMX Info:
-- GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
-- GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation**
-
-
-This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).
-
-If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
-
-If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
-
-If you do not configure this policy setting, the user can choose to participate in the CEIP.
-
-
-
-ADMX Info:
-- GP english name: *Prevent participation in the Customer Experience Improvement Program*
-- GP name: *SQM_DisableCEIP*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableEnclosureDownloading**
-
-
-This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
-
-If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
-
-If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
-
-
-
-ADMX Info:
-- GP english name: *Prevent downloading of enclosures*
-- GP name: *Disable_Downloading_of_Enclosures*
-- GP path: *Windows Components/RSS Feeds*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableEncryptionSupport**
-
-
-This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
-
-If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
-
-If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.
-
-Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
-
-
-
-ADMX Info:
-- GP english name: *Turn off encryption support*
-- GP name: *Advanced_SetWinInetProtocols*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableFirstRunWizard**
-
-
-This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
-
-If you enable this policy setting, you must make one of the following choices:
-Skip the First Run wizard, and go directly to the user's home page.
-Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
-
-Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
-
-If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
-
-
-
-ADMX Info:
-- GP english name: *Prevent running First Run wizard*
-- GP name: *NoFirstRunCustomise*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableFlipAheadFeature**
-
-
-This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
-
-Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.
-
-If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.
-
-If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
-
-If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
-
-
-
-ADMX Info:
-- GP english name: *Turn off the flip ahead with page prediction feature*
-- GP name: *Advanced_DisableFlipAhead*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableHomePageChange**
-
-
-The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
-
-If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
-
-If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
-
-
-
-ADMX Info:
-- GP english name: *Disable changing home page settings*
-- GP name: *RestrictHomePage*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableProxyChange**
-
-
-This policy setting specifies if a user can change proxy settings.
-
-If you enable this policy setting, the user will not be able to configure proxy settings.
-
-If you disable or do not configure this policy setting, the user can configure proxy settings.
-
-
-
-ADMX Info:
-- GP english name: *Prevent changing proxy settings*
-- GP name: *RestrictProxy*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableSearchProviderChange**
-
-
-This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
-
-If you enable this policy setting, the user cannot change the default search provider.
-
-If you disable or do not configure this policy setting, the user can change the default search provider.
-
-
-
-ADMX Info:
-- GP english name: *Prevent changing the default search provider*
-- GP name: *NoSearchProvider*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableSecondaryHomePageChange**
-
-
-Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.
-
-If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.
-
-If you disable or do not configure this policy setting, the user can add secondary home pages.
-
-Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
-
-
-
-ADMX Info:
-- GP english name: *Disable changing secondary home page settings*
-- GP name: *SecondaryHomePages*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DisableUpdateCheck**
-
-
-Prevents Internet Explorer from checking whether a new version of the browser is available.
-
-If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available.
-
-If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available.
-
-This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
-
-
-
-ADMX Info:
-- GP english name: *Disable Periodic Check for Internet Explorer software updates*
-- GP name: *NoUpdateCheck*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DoNotAllowUsersToAddSites**
-
-
-Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
-
-If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)
-
-If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone.
-
-This policy prevents users from changing site management settings for security zones established by the administrator.
-
-Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.
-
-Also, see the "Security zones: Use only machine settings" policy.
-
-
-
-ADMX Info:
-- GP english name: *Security Zones: Do not allow users to add/delete sites*
-- GP name: *Security_zones_map_edit*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DoNotAllowUsersToChangePolicies**
-
-
-Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
-
-If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.
-
-If you disable this policy or do not configure it, users can change the settings for security zones.
-
-This policy prevents users from changing security zone settings established by the administrator.
-
-Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
-
-Also, see the "Security zones: Use only machine settings" policy.
-
-
-
-ADMX Info:
-- GP english name: *Security Zones: Do not allow users to change policies*
-- GP name: *Security_options_edit*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DoNotBlockOutdatedActiveXControls**
-
-
-This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
-
-If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.
-
-If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.
-
-For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-
-
-
-ADMX Info:
-- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
-- GP name: *VerMgmtDisable*
-- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains**
-
-
-This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
-
-If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
-
-1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
-2. "hostname". For example, if you want to include http://example, use "example"
-3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"
-
-If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.
-
-For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
-
-
-
-ADMX Info:
-- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
-- GP name: *VerMgmtDomainAllowlist*
-- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IncludeAllLocalSites**
-
-
-This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
-
-If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.
-
-If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).
-
-If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
-
-
-
-ADMX Info:
-- GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
-- GP name: *IZ_IncludeUnspecifiedLocalSites*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IncludeAllNetworkPaths**
-
-
-This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
-
-If you enable this policy setting, all network paths are mapped into the Intranet Zone.
-
-If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).
-
-If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
-
-
-
-ADMX Info:
-- GP english name: *Intranet Sites: Include all network paths (UNCs)*
-- GP name: *IZ_UNCAsIntranet*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/InternetZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/IntranetZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
-
-If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
-
-If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/SearchProviderList**
-
-
-This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
-
-If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
-
-If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
-
-
-
-ADMX Info:
-- GP english name: *Restrict search providers to a specific list*
-- GP name: *SpecificSearchProvider*
-- GP path: *Windows Components/Internet Explorer*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources**
-
-
-This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
-
-If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
-
-
-
-ADMX Info:
-- GP english name: *Access data sources across domains*
-- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
-
-
-This policy setting manages whether users will be automatically prompted for ActiveX control installations.
-
-If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
-
-If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for ActiveX controls*
-- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
-
-
-This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
-
-If you enable this setting, users will receive a file download dialog for automatic download attempts.
-
-If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
-
-
-
-ADMX Info:
-- GP english name: *Automatic prompting for file downloads*
-- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneAllowFontDownloads**
-
-
-This policy setting allows you to manage whether pages of the zone may download HTML fonts.
-
-If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
-
-If you disable this policy setting, HTML fonts are prevented from downloading.
-
-If you do not configure this policy setting, HTML fonts can be downloaded automatically.
-
-
-
-ADMX Info:
-- GP english name: *Allow font downloads*
-- GP name: *IZ_PolicyFontDownload_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites**
-
-
-This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
-
-If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
-
-If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
-
-If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
-
-
-
-ADMX Info:
-- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
-- GP name: *IZ_PolicyZoneElevationURLaction_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents**
-
-
-This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
-
-If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
-
-If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
-
-If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
-
-
-
-ADMX Info:
-- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
-- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneAllowScriptlets**
-
-
-This policy setting allows you to manage whether the user can run scriptlets.
-
-If you enable this policy setting, the user can run scriptlets.
-
-If you disable this policy setting, the user cannot run scriptlets.
-
-If you do not configure this policy setting, the user can enable or disable scriptlets.
-
-
-
-ADMX Info:
-- GP english name: *Allow scriptlets*
-- GP name: *IZ_Policy_AllowScriptlets_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE**
-
-
-This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
-
-If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
-
-If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
-
-If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
-
-Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
-
-
-
-ADMX Info:
-- GP english name: *Turn on SmartScreen Filter scan*
-- GP name: *IZ_Policy_Phishing_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence**
-
-
-This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
-
-If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
-
-
-
-ADMX Info:
-- GP english name: *Userdata persistence*
-- GP name: *IZ_PolicyUserdataPersistence_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls**
-
-
-This policy setting allows you to manage ActiveX controls not marked as safe.
-
-If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
-
-If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
-
-If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
-
-
-
-ADMX Info:
-- GP english name: *Initialize and script ActiveX controls not marked as safe*
-- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames**
-
-
-This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
-
-If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
-
-If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
-
-If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
-
-
-
-ADMX Info:
-- GP english name: *Navigate windows and frames across different domains*
-- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
-- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone*
-- GP ADMX file name: *inetres.admx*
-
-
-
-
-**Kerberos/AllowForestSearchOrder**
-
-
-This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
-
-If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
-
-If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
-
-
-
-ADMX Info:
-- GP english name: *None*
-- GP name: *ForestSearch*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
-
-
-This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
-If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
-
-If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
-
-
-
-ADMX Info:
-- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
-- GP name: *EnableCbacAndArmor*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-**Kerberos/RequireKerberosArmoring**
-
-
-This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
-
-Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
-
-If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
-
-Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
-
-If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
-
-
-
-ADMX Info:
-- GP english name: *Fail authentication requests when Kerberos armoring is not available*
-- GP name: *ClientRequireFast*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-**Kerberos/RequireStrictKDCValidation**
-
-
-This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
-
-If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
-
-If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
-
-
-
-ADMX Info:
-- GP english name: *Require strict KDC validation*
-- GP name: *ValidateKDC*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-**Kerberos/SetMaximumContextTokenSize**
-
-
-This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
-
-The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
-
-If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
-
-If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
-
-Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
-
-
-
-ADMX Info:
-- GP english name: *Set maximum Kerberos SSPI context token buffer size*
-- GP name: *MaxTokenSize*
-- GP path: *System/Kerberos*
-- GP ADMX file name: *Kerberos.admx*
-
-
-
-
-**Licensing/AllowWindowsEntitlementReactivation**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
-
-
The following list shows the supported values:
-
-- 0 – Disable Windows license reactivation on managed devices.
-- 1 (default) – Enable Windows license reactivation on managed devices.
-
-
-
-
-**Licensing/DisallowKMSClientOnlineAVSValidation**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
-
-
The following list shows the supported values:
-
-- 0 (default) – Disabled.
-- 1 – Enabled.
-
-
-
-
-**Location/EnableLocation**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
-
-> [!IMPORTANT]
-> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy.
-
-
The following list shows the supported values:
-
-- 0 (default) – Disabled.
-- 1 – Enabled.
-
-
To validate on Desktop, do the following:
-
-1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected.
-2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained.
-
-
-
-
-**LockDown/AllowEdgeSwipe**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
-
-
The following list shows the supported values:
-
-- 0 - disallow edge swipe.
-- 1 (default, not configured) - allow edge swipe.
-
-
The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
-
-
-
-
-**Maps/AllowOfflineMapsDownloadOverMeteredConnection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
-
-
The following list shows the supported values:
-
-- 65535 (default) – Not configured. User's choice.
-- 0 – Disabled. Force disable auto-update over metered connection.
-- 1 – Enabled. Force enable auto-update over metered connection.
-
-
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
-
-
-
-
-**Maps/EnableOfflineMapsAutoUpdate**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Disables the automatic download and update of map data.
-
-
The following list shows the supported values:
-
-- 65535 (default) – Not configured. User's choice.
-- 0 – Disabled. Force off auto-update.
-- 1 – Enabled. Force on auto-update.
-
-
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
-
-
-
-
-**Messaging/AllowMMS**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- 2 |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement.
-
-
The following list shows the supported values:
-
-- 0 - Disabled.
-- 1 (default) - Enabled.
-
-
-
-
-**Messaging/AllowMessageSync**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
-
-
The following list shows the supported values:
-
-- 0 - message sync is not allowed and cannot be changed by the user.
-- 1 - message sync is allowed. The user can change this setting.
-
-
-
-
-**Messaging/AllowRCS**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- 2 |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement.
-
-
The following list shows the supported values:
-
-- 0 - Disabled.
-- 1 (default) - Enabled.
-
-
-
-
-**NetworkIsolation/EnterpriseCloudResources**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
-
-
-
-
-**NetworkIsolation/EnterpriseIPRange**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
-
-``` syntax
-10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255,
-192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff,
-2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,
-2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
-fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-```
-
-
-
-
-**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
-
-
-
-
-**NetworkIsolation/EnterpriseInternalProxyServers**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
-
-
-
-
-**NetworkIsolation/EnterpriseNetworkDomainNames**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
-
-> [!NOTE]
-> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
-
-
-
Here are the steps to create canonical domain names:
-
-1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com.
-2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
-3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
-
-
-
-
-**NetworkIsolation/EnterpriseProxyServers**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
-
-
-
-
-**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
-
-
-
-
-**NetworkIsolation/NeutralResources**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-List of domain names that can used for work or personal resource.
-
-
-
-
-**Notifications/DisallowNotificationMirroring**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
-
-> [!IMPORTANT]
-> This node must be accessed using the following paths:
->
-> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
-
-
-
For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
-
-
No reboot or service restart is required for this policy to take effect.
-
-
The following list shows the supported values:
-
-- 0 (default)– enable notification mirroring.
-- 1 – disable notification mirroring.
-
-
-
-
-**Power/AllowStandbyWhenSleepingPluggedIn**
-
-
-This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
-
-If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
-
-If you disable this policy setting, standby states (S1-S3) are not allowed.
-
-
-
-ADMX Info:
-- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
-- GP name: *AllowStandbyStatesAC_2*
-- GP path: *System/Power Management/Sleep Settings*
-- GP ADMX file name: *power.admx*
-
-
-
-
-
-**Power/DisplayOffTimeoutOnBattery**
-
-
-
Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
-
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
-
-
If you disable or do not configure this policy setting, users control this setting.
-
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-
-
-ADMX Info:
-- GP english name: *Turn off the display (on battery)*
-- GP name: *VideoPowerDownTimeOutDC_2*
-- GP path: *System/Power Management/Video and Display Settings*
-- GP ADMX file name: *power.admx*
-
-
-
-
-
-**Power/DisplayOffTimeoutPluggedIn**
-
-
-
-
Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
-
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
-
-
If you disable or do not configure this policy setting, users control this setting.
-
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-
-
-ADMX Info:
-- GP english name: *Turn off the display (plugged in)*
-- GP name: *VideoPowerDownTimeOutAC_2*
-- GP path: *System/Power Management/Video and Display Settings*
-- GP ADMX file name: *power.admx*
-
-
-
-
-
-**Power/HibernateTimeoutOnBattery**
-
-
-
Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
-
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
-
-
If you disable or do not configure this policy setting, users control this setting.
-
-
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-
-ADMX Info:
-- GP english name: *Specify the system hibernate timeout (on battery)*
-- GP name: *DCHibernateTimeOut_2*
-- GP path: *System/Power Management/Sleep Settings*
-- GP ADMX file name: *power.admx*
-
-
-
-
-
-**Power/HibernateTimeoutPluggedIn**
-
-
-
Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
-
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
-
-
If you disable or do not configure this policy setting, users control this setting.
-
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-
-
-ADMX Info:
-- GP english name: *Specify the system hibernate timeout (plugged in)*
-- GP name: *ACHibernateTimeOut_2*
-- GP path: *System/Power Management/Sleep Settings*
-- GP ADMX file name: *power.admx*
-
-
-
-
-
-**Power/RequirePasswordWhenComputerWakesOnBattery**
-
-
-This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
-
-If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
-
-If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-
-
-
-ADMX Info:
-- GP english name: *Require a password when a computer wakes (on battery)*
-- GP name: *DCPromptForPasswordOnResume_2*
-- GP path: *System/Power Management/Sleep Settings*
-- GP ADMX file name: *power.admx*
-
-
-
-
-**Power/RequirePasswordWhenComputerWakesPluggedIn**
-
-
-This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
-
-If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
-
-If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
-
-
-
-ADMX Info:
-- GP english name: *Require a password when a computer wakes (plugged in)*
-- GP name: *ACPromptForPasswordOnResume_2*
-- GP path: *System/Power Management/Sleep Settings*
-- GP ADMX file name: *power.admx*
-
-
-
-
-
-**Power/StandbyTimeoutOnBattery**
-
-
-
Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
-
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
-
-
If you disable or do not configure this policy setting, users control this setting.
-
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-
-
-ADMX Info:
-- GP english name: *Specify the system sleep timeout (on battery)*
-- GP name: *DCStandbyTimeOut_2*
-- GP path: *System/Power Management/Sleep Settings*
-- GP ADMX file name: *power.admx*
-
-
-
-
-
-**Power/StandbyTimeoutPluggedIn**
-
-
-
Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
-
-
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
-
-
If you disable or do not configure this policy setting, users control this setting.
-
-
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
-
-
-
-ADMX Info:
-- GP english name: *Specify the system sleep timeout (plugged in)*
-- GP name: *ACStandbyTimeOut_2*
-- GP path: *System/Power Management/Sleep Settings*
-- GP ADMX file name: *power.admx*
-
-
-
-
-
-**Printers/PointAndPrintRestrictions**
-
-
-This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
-
-If you enable this policy setting:
--Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
--You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
-
-If you do not configure this policy setting:
--Windows Vista client computers can point and print to any server.
--Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
-
-If you disable this policy setting:
--Windows Vista client computers can create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
--The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-
-
-
-ADMX Info:
-- GP english name: *Point and Print Restrictions*
-- GP name: *PointAndPrint_Restrictions_Win7*
-- GP path: *Printers*
-- GP ADMX file name: *Printing.admx*
-
-
-
-
-**Printers/PointAndPrintRestrictions_User**
-
-
-This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
-
-If you enable this policy setting:
--Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
--You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
-
-If you do not configure this policy setting:
--Windows Vista client computers can point and print to any server.
--Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
-
-If you disable this policy setting:
--Windows Vista client computers can create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
--Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
--Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
--The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
-
-
-
-ADMX Info:
-- GP english name: *Point and Print Restrictions*
-- GP name: *PointAndPrint_Restrictions*
-- GP ADMX file name: *Printing.admx*
-
-
-
-
-**Printers/PublishPrinters**
-
-
-Determines whether the computer's shared printers can be published in Active Directory.
-
-If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
-
-If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.
-
-Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
-
-
-
-ADMX Info:
-- GP english name: *Allow printers to be published*
-- GP name: *PublishPrinters*
-- GP path: *Printers*
-- GP ADMX file name: *Printing2.admx*
-
-
-
-
-**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
-
-
The following list shows the supported values:
-
-- 0 (default)– Not allowed.
-- 1 – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Privacy/AllowInputPersonalization**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-
-**Privacy/DisableAdvertisingId**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Enables or disables the Advertising ID.
-
-
The following list shows the supported values:
-
-- 0 – Disabled.
-- 1 – Enabled.
-- 65535 (default)- Not configured.
-
-
Most restricted value is 0.
-
-
-
-
-**Privacy/LetAppsAccessAccountInfo**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
-
-
-
-
-**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
-
-
-
-
-**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
-
-
-
-
-**Privacy/LetAppsAccessCalendar**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
-
-
-
-
-**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
-
-
-
-
-**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
-
-
-
-
-**Privacy/LetAppsAccessCallHistory**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
-
-
-
-
-**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
-
-
-
-
-**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
-
-
-
-
-**Privacy/LetAppsAccessCamera**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessContacts**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessEmail**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessLocation**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessMessaging**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessMicrophone**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessMotion**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessNotifications**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessPhone**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessRadios**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessTasks**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
-
-
-
-
-**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessTrustedDevices**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsGetDiagnosticInfo**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsRunInBackground**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
-
-
The following list shows the supported values:
-
-- 0 – User in control (default).
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-> [!WARNING]
-> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
-
-
-
-
-**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 2 |
- 2 |
- |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsSyncWithDevices**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
-
-
The following list shows the supported values:
-
-- 0 – User in control.
-- 1 – Force allow.
-- 2 - Force deny.
-
-
Most restricted value is 2.
-
-
-
-
-**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
-
-
-
-
-**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
-
-
-
-
-**RemoteAssistance/CustomizeWarningMessages**
-
-
-This policy setting lets you customize warning messages.
-
-The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
-
-The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.
-
-If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.
-
-If you disable this policy setting, the user sees the default warning message.
-
-If you do not configure this policy setting, the user sees the default warning message.
-
-
-
-ADMX Info:
-- GP english name: *Customize warning messages*
-- GP name: *RA_Options*
-- GP path: *System/Remote Assistance*
-- GP ADMX file name: *remoteassistance.admx*
-
-
-
-
-**RemoteAssistance/SessionLogging**
-
-
-This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
-
-If you enable this policy setting, log files are generated.
-
-If you disable this policy setting, log files are not generated.
-
-If you do not configure this setting, application-based settings are used.
-
-
-
-ADMX Info:
-- GP english name: *Turn on session logging*
-- GP name: *RA_Logging*
-- GP path: *System/Remote Assistance*
-- GP ADMX file name: *remoteassistance.admx*
-
-
-
-
-**RemoteAssistance/SolicitedRemoteAssistance**
-
-
-This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
-
-If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
-
-If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
-
-If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
-
-If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
-
-The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
-
-The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
-
-If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
-
-
-
-ADMX Info:
-- GP english name: *Configure Solicited Remote Assistance*
-- GP name: *RA_Solicit*
-- GP path: *System/Remote Assistance*
-- GP ADMX file name: *remoteassistance.admx*
-
-
-
-
-**RemoteAssistance/UnsolicitedRemoteAssistance**
-
-
-This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
-
-If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
-
-If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
-
-If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
-
-If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
-
-To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
-
-\ or
-
-\
-
-If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.
-
-Windows Vista and later
-
-Enable the Remote Assistance exception for the domain profile. The exception must contain:
-Port 135:TCP
-%WINDIR%\System32\msra.exe
-%WINDIR%\System32\raserver.exe
-
-Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
-
-Port 135:TCP
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
-%WINDIR%\System32\Sessmgr.exe
-
-For computers running Windows Server 2003 with Service Pack 1 (SP1)
-
-Port 135:TCP
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
-%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
-Allow Remote Desktop Exception
-
-
-
-ADMX Info:
-- GP english name: *Configure Offer Remote Assistance*
-- GP name: *RA_Unsolicit*
-- GP ADMX file name: *remoteassistance.admx*
-
-
-
-
-**RemoteDesktopServices/AllowUsersToConnectRemotely**
-
-
-This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
-
-If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
-
-If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
-
-If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
-
-Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
-
-You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
-
-
-
-ADMX Info:
-- GP english name: *Allow users to connect remotely by using Remote Desktop Services*
-- GP name: *TS_DISABLE_CONNECTIONS*
-- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections*
-- GP ADMX file name: *terminalserver.admx*
-
-
-
-
-**RemoteDesktopServices/ClientConnectionEncryptionLevel**
-
-
-Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
-
-If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
-
-* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
-
-* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
-
-* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
-
-If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.
-
-Important
-
-FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
-
-
-
-ADMX Info:
-- GP english name: *Set client connection encryption level*
-- GP name: *TS_ENCRYPTION_POLICY*
-- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
-- GP ADMX file name: *terminalserver.admx*
-
-
-
-
-**RemoteDesktopServices/DoNotAllowDriveRedirection**
-
-
-This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
-
-By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.
-
-If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
-
-If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
-
-If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
-
-
-
-ADMX Info:
-- GP english name: *Do not allow drive redirection*
-- GP name: *TS_CLIENT_DRIVE_M*
-- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
-- GP ADMX file name: *terminalserver.admx*
-
-
-
-
-**RemoteDesktopServices/DoNotAllowPasswordSaving**
-
-
-Controls whether passwords can be saved on this computer from Remote Desktop Connection.
-
-If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
-
-If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
-
-
-
-ADMX Info:
-- GP english name: *Do not allow passwords to be saved*
-- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
-- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client*
-- GP ADMX file name: *terminalserver.admx*
-
-
-
-
-**RemoteDesktopServices/PromptForPasswordUponConnection**
-
-
-This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
-
-You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
-
-By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
-
-If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
-
-If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
-
-If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
-
-
-
-ADMX Info:
-- GP english name: *Always prompt for password upon connection*
-- GP name: *TS_PASSWORD*
-- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
-- GP ADMX file name: *terminalserver.admx*
-
-
-
-
-**RemoteDesktopServices/RequireSecureRPCCommunication**
-
-
-Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
-
-You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
-
-If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
-
-If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.
-
-If the status is set to Not Configured, unsecured communication is allowed.
-
-Note: The RPC interface is used for administering and configuring Remote Desktop Services.
-
-
-
-ADMX Info:
-- GP english name: *Require secure RPC communication*
-- GP name: *TS_RPC_ENCRYPTION*
-- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security*
-- GP ADMX file name: *terminalserver.admx*
-
-
-
-
-**RemoteProcedureCall/RPCEndpointMapperClientAuthentication**
-
-
-This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
-
-If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
-
-If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
-
-If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
-
-Note: This policy will not be applied until the system is rebooted.
-
-
-
-ADMX Info:
-- GP english name: *Enable RPC Endpoint Mapper Client Authentication*
-- GP name: *RpcEnableAuthEpResolution*
-- GP path: *System/Remote Procedure Call*
-- GP ADMX file name: *rpc.admx*
-
-
-
-
-**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**
-
-
-This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
-
-This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
-
-If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
-
-If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
-
-If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
-
--- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.
-
--- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
-
--- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.
-
-Note: This policy setting will not be applied until the system is rebooted.
-
-
-
-ADMX Info:
-- GP english name: *Restrict Unauthenticated RPC clients*
-- GP name: *RpcRestrictRemoteClients*
-- GP path: *System/Remote Procedure Call*
-- GP ADMX file name: *rpc.admx*
-
-
-
-
-**Search/AllowIndexingEncryptedStoresOrItems**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
-
-
When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
-
-
When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Search/AllowSearchToUseLocation**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether search can leverage location information.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Search/AllowUsingDiacritics**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows the use of diacritics.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Search/AlwaysUseAutoLangDetection**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether to always use automatic language detection when indexing content and properties.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Search/DisableBackoff**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
-
-
The following list shows the supported values:
-
-- 0 (default) – Disable.
-- 1 – Enable.
-
-
-
-
-**Search/DisableRemovableDriveIndexing**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-This policy setting configures whether or not locations on removable drives can be added to libraries.
-
-
If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
-
-
If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
-
-
The following list shows the supported values:
-
-- 0 (default) – Disable.
-- 1 – Enable.
-
-
-
-
-**Search/PreventIndexingLowDiskSpaceMB**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
-
-
Enable this policy if computers in your environment have extremely limited hard drive space.
-
-
When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
-
-
The following list shows the supported values:
-
-- 0 – Disable.
-- 1 (default) – Enable.
-
-
-
-
-**Search/PreventRemoteQueries**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
-
-
The following list shows the supported values:
-
-- 0 – Disable.
-- 1 (default) – Enable.
-
-
-
-
-**Search/SafeSearchPermissions**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Specifies what level of safe search (filtering adult content) is required.
-
-
The following list shows the supported values:
-
-- 0 – Strict, highest filtering against adult content.
-- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered).
-
-
Most restricted value is 0.
-
-
-
-
-**Security/AllowAddProvisioningPackage**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether to allow the runtime configuration agent to install provisioning packages.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy has been deprecated in Windows 10, version 1607
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Security/AllowManualRootCertificateInstallation**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Specifies whether the user is allowed to manually install root and intermediate CA certificates.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Security/AllowRemoveProvisioningPackage**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether to allow the runtime configuration agent to remove provisioning packages.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Security/AntiTheftMode**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-Allows or disallow Anti Theft Mode on the device.
-
-
The following list shows the supported values:
-
-- 0 – Don't allow Anti Theft Mode.
-- 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
-
-
-
-
-**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
-
-
Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
-
The following list shows the supported values:
-
-- 0 (default) – Encryption enabled.
-- 1 – Encryption disabled.
-
-
-
-
-**Security/RequireDeviceEncryption**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
-
-Allows enterprise to turn on internal storage encryption.
-
-
The following list shows the supported values:
-
-- 0 (default) – Encryption is not required.
-- 1 – Encryption is required.
-
-
Most restricted value is 1.
-
-> [!IMPORTANT]
-> If encryption has been enabled, it cannot be turned off by using this policy.
-
-
-
-
-**Security/RequireProvisioningPackageSignature**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not required.
-- 1 – Required.
-
-
-
-
-**Security/RequireRetrieveHealthCertificateOnBoot**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not required.
-- 1 – Required.
-
-
Setting this policy to 1 (Required):
-
-- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
-- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
-
-> [!NOTE]
-> We recommend that this policy is set to Required after MDM enrollment.
-
-
-
Most restricted value is 1.
-
-
-
-
-**Settings/AllowAutoPlay**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Allows the user to change Auto Play settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-> [!NOTE]
-> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
-
-
-
-
-**Settings/AllowDataSense**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows the user to change Data Sense settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/AllowDateTime**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows the user to change date and time settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/AllowEditDeviceName**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- 1 |
- 1 |
-
-
-
-
-
-Allows editing of the device name.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/AllowLanguage**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Allows the user to change the language settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/AllowPowerSleep**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Allows the user to change power and sleep settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/AllowRegion**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Allows the user to change the region settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/AllowSignInOptions**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Allows the user to change sign-in options.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/AllowVPN**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows the user to change VPN settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/AllowWorkplace**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Allows user to change workplace settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/AllowYourAccount**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows user to change account settings.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Settings/ConfigureTaskbarCalendar**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
-
-
The following list shows the supported values:
-
-- 0 (default) – User will be allowed to configure the setting.
-- 1 – Don't show additional calendars.
-- 2 - Simplified Chinese (Lunar).
-- 3 - Traditional Chinese (Lunar).
-
-
-
-
-**Settings/PageVisibilityList**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
-
-
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
-
-
showonly:about;bluetooth
-
-
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
-
-
The format of the PageVisibilityList value is as follows:
-
-- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
-- There are two variants: one that shows only the given pages and one which hides the given pages.
-- The first variant starts with the string "showonly:" and the second with the string "hide:".
-- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
-- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi".
-
-
The default value for this setting is an empty string, which is interpreted as show everything.
-
-
Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
-
-
showonly:wi-fi;bluetooth
-
-
Example 2, specifies that the wifi page should not be shown:
-
-
hide:wifi
-
-
To validate on Desktop, do the following:
-
-1. Open System Settings and verfiy that the About page is visible and accessible.
-2. Configure the policy with the following string: "hide:about".
-3. Open System Settings again and verify that the About page is no longer accessible.
-
-
-
-
-**SmartScreen/EnableAppInstallControl**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
-
-
The following list shows the supported values:
-
-- 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
-- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
-
-
-
-
-**SmartScreen/EnableSmartScreenInShell**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
-
-
The following list shows the supported values:
-
-- 0 – Turns off SmartScreen in Windows.
-- 1 – Turns on SmartScreen in Windows.
-
-
-
-
-**SmartScreen/PreventOverrideForFilesInShell**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
-
-
The following list shows the supported values:
-
-- 0 – Employees can ignore SmartScreen warnings and run malicious files.
-- 1 – Employees cannot ignore SmartScreen warnings and run malicious files.
-
-
-
-
-**Speech/AllowSpeechModelUpdate**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- | 1 |
- 1 |
- |
- 1 |
- 1 |
- 1 |
- 1 |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-**Start/AllowPinnedFolderDocuments**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/AllowPinnedFolderDownloads**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/AllowPinnedFolderFileExplorer**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/AllowPinnedFolderHomeGroup**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/AllowPinnedFolderMusic**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/AllowPinnedFolderNetwork**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/AllowPinnedFolderPersonalFolder**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/AllowPinnedFolderPictures**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/AllowPinnedFolderSettings**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/AllowPinnedFolderVideos**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
-
-
The following list shows the supported values:
-
-- 0 – The shortcut is hidden and disables the setting in the Settings app.
-- 1 – The shortcut is visible and disables the setting in the Settings app.
-- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
-
-
-
-
-**Start/ForceStartSize**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-Forces the start screen size.
-
-
The following list shows the supported values:
-
-- 0 (default) – Do not force size of Start.
-- 1 – Force non-fullscreen size of Start.
-- 2 - Force a fullscreen size of Start.
-
-
If there is policy configuration conflict, the latest configuration request is applied to the device.
-
-
-
-
-**Start/HideAppList**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
-
-
The following list shows the supported values:
-
-- 0 (default) – None.
-- 1 – Hide all apps list.
-- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app.
-- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app.
-
-
To validate on Desktop, do the following:
-
-- 1 - Enable policy and restart explorer.exe
-- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out.
-- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out.
-- 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out.
-
-
-
-
-**Start/HideChangeAccountSettings**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify that "Change account settings" is not available.
-
-
-
-
-**Start/HideFrequentlyUsedApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable "Show most used apps" in the Settings app.
-2. Use some apps to get them into the most used group in Start.
-3. Enable policy.
-4. Restart explorer.exe
-5. Check that "Show most used apps" Settings toggle is grayed out.
-6. Check that most used apps do not appear in Start.
-
-
-
-
-**Start/HideHibernate**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Laptop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify "Hibernate" is not available.
-
-> [!NOTE]
-> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
-
-
-
-
-**Start/HideLock**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify "Lock" is not available.
-
-
-
-
-**Start/HidePowerButton**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, and verify the power button is not available.
-
-
-
-
-**Start/HideRecentJumplists**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings.
-2. Pin Photos to the taskbar, and open some images in the photos app.
-3. Right click the pinned photos app and verify that a jumplist of recently opened items pops up.
-4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists.
-5. Enable policy.
-6. Restart explorer.exe
-7. Check that Settings toggle is grayed out.
-8. Repeat Step 2.
-9. Right Click pinned photos app and verify that there is no jumplist of recent items.
-
-
-
-
-**Start/HideRecentlyAddedApps**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable "Show recently added apps" in the Settings app.
-2. Check if there are recently added apps in Start (if not, install some).
-3. Enable policy.
-4. Restart explorer.exe
-5. Check that "Show recently added apps" Settings toggle is grayed out.
-6. Check that recently added apps do not appear in Start.
-
-
-
-
-**Start/HideRestart**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available.
-
-
-
-
-**Start/HideShutDown**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available.
-
-
-
-
-**Start/HideSignOut**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify "Sign out" is not available.
-
-
-
-
-**Start/HideSleep**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify that "Sleep" is not available.
-
-
-
-
-**Start/HideSwitchAccount**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify that "Switch account" is not available.
-
-
-
-
-**Start/HideUserTile**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Log off.
-3. Log in, and verify that the user tile is gone from Start.
-
-
-
-
-**Start/ImportEdgeAssets**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
-Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
-
-> [!IMPORTANT]
-> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
-
-
The value set for this policy is an XML string containing Edge assets. An example XML string is provided in the [Microsoft Edge assets example](#microsoft-edge-assets-example) later in this topic.
-
-
To validate on Desktop, do the following:
-
-1. Set policy with an XML for Edge assets.
-2. Set StartLayout policy to anything so that it would trigger the Edge assets import.
-3. Sign out/in.
-4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path.
-
-
-
-
-**Start/NoPinningToTaskbar**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (pinning enabled).
-- 1 - True (pinning disabled).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Right click on a program pinned to taskbar.
-3. Verify that "Unpin from taskbar" menu does not show.
-4. Open Start and right click on one of the app list icons.
-5. Verify that More->Pin to taskbar menu does not show.
-
-
-
-
-**Start/StartLayout**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!IMPORTANT]
-> This node is set on a per-user basis and must be accessed using the following paths:
-> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
->
->
-> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths:
-> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
-
-
-Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
-
-
This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic.
-
-
-
-
-**Storage/EnhancedStorageDevices**
-
-
-This policy setting configures whether or not Windows will activate an Enhanced Storage device.
-
-If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
-
-If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
-
-
-
-ADMX Info:
-- GP english name: *Do not allow Windows to activate Enhanced Storage devices*
-- GP name: *TCGSecurityActivationDisabled*
-- GP path: *System/Enhanced Storage Access*
-- GP ADMX file name: *enhancedstorage.admx*
-
-
-
-
-**System/AllowBuildPreview**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
-
-
-This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
-
-
If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
-- 1 – Allowed. Users can make their devices available for downloading and installing preview software.
-- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.
-
-
-
-
-**System/AllowEmbeddedMode**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether set general purpose device to be in embedded mode.
-
-
The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**System/AllowExperimentation**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is not supported in Windows 10, version 1607.
-
-This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
-
-
The following list shows the supported values:
-
-- 0 – Disabled.
-- 1 (default) – Permits Microsoft to configure device settings only.
-- 2 – Allows Microsoft to conduct full experimentations.
-
-
Most restricted value is 0.
-
-
-
-
-**System/AllowFontProviders**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
-
-
Supported values:
-
-- false - No traffic to fs.microsoft.com and only locally-installed fonts are available.
-- true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
-
-
This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
-
-
This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
-
-> [!Note]
-> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
-
-
To verify if System/AllowFontProviders is set to true:
-
-- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
-
-
-
-
-**System/AllowLocation**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether to allow app access to the Location service.
-
-
The following list shows the supported values:
-
-- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
-- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off.
-- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.
-
-
Most restricted value is 0.
-
-
While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
-
-
When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
-
-
For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
-
-
-
-
-**System/AllowStorageCard**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
-
-
The following list shows the supported values:
-
-- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card.
-- 1 (default) – Allow a storage card.
-
-
Most restricted value is 0.
-
-
-
-
-**System/AllowTelemetry**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allow the device to send diagnostic and usage telemetry data, such as Watson.
-
-
The following tables describe the supported values:
-
-
-
-
-
-
-
-
-
-
-0 – Not allowed.
- |
-
-
- 1 – Allowed, except for Secondary Data Requests. |
-
-
-2 (default) – Allowed. |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
-
-Note This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
-
- |
-
-
-1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. |
-
-
-2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. |
-
-
-3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. |
-
-
-
-
-
-> [!IMPORTANT]
-> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
-
-
-Most restricted value is 0.
-
-
-
-
-**System/AllowUserToResetPhone**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed to reset to factory default settings.
-
-
Most restricted value is 0.
-
-
-
-
-**System/BootStartDriverInitialization**
-
-
-N/A
-
-
-
-ADMX Info:
-- GP english name: *Boot-Start Driver Initialization Policy*
-- GP name: *POL_DriverLoadPolicy_Name*
-- GP path: *System/Early Launch Antimalware*
-- GP ADMX file name: *earlylauncham.admx*
-
-
-
-
-**System/DisableOneDriveFileSync**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
-
-* Users cannot access OneDrive from the OneDrive app or file picker.
-* Windows Store apps cannot access OneDrive using the WinRT API.
-* OneDrive does not appear in the navigation pane in File Explorer.
-* OneDrive files are not kept in sync with the cloud.
-* Users cannot automatically upload photos and videos from the camera roll folder.
-
-
If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
-
-
The following list shows the supported values:
-
-- 0 (default) – False (sync enabled).
-- 1 – True (sync disabled).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Restart machine.
-3. Verify that OneDrive.exe is not running in Task Manager.
-
-
-
-
-**System/DisableSystemRestore**
-
-
-Allows you to disable System Restore.
-
-This policy setting allows you to turn off System Restore.
-
-System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
-
-If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
-
-If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
-
-Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
-
-
-
-ADMX Info:
-- GP english name: *Turn off System Restore*
-- GP name: *SR_DisableSR*
-- GP path: *System/System Restore*
-- GP ADMX file name: *systemrestore.admx*
-
-
-
-
-**System/TelemetryProxy**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
-
-
If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
-
-
-
-
-**TextInput/AllowIMELogging**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**TextInput/AllowIMENetworkAccess**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**TextInput/AllowInputPanel**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the IT admin to disable the touch/handwriting keyboard on Windows.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**TextInput/AllowJapaneseIMESurrogatePairCharacters**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the Japanese IME surrogate pair characters.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**TextInput/AllowJapaneseIVSCharacters**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows Japanese Ideographic Variation Sequence (IVS) characters.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**TextInput/AllowJapaneseNonPublishingStandardGlyph**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the Japanese non-publishing standard glyph.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**TextInput/AllowJapaneseUserDictionary**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the Japanese user dictionary.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**TextInput/AllowKeyboardTextSuggestions**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
-
-
The following list shows the supported values:
-
-- 0 – Disabled.
-- 1 (default) – Enabled.
-
-
Most restricted value is 0.
-
-
To validate that text prediction is disabled on Windows 10 for desktop, do the following:
-
-1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
-2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
-3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
-
-
-
-
-**TextInput/AllowKoreanExtendedHanja**
-
-
-
This policy has been deprecated.
-
-
-
-
-**TextInput/AllowLanguageFeaturesUninstall**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the uninstall of language features, such as spell checkers, on a device.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**TextInput/ExcludeJapaneseIMEExceptJIS0208**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the users to restrict character code range of conversion by setting the character filter.
-
-
The following list shows the supported values:
-
-- 0 (default) – No characters are filtered.
-- 1 – All characters except JIS0208 are filtered.
-
-
-
-
-**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the users to restrict character code range of conversion by setting the character filter.
-
-
The following list shows the supported values:
-
-- 0 (default) – No characters are filtered.
-- 1 – All characters except JIS0208 and EUDC are filtered.
-
-
-
-
-**TextInput/ExcludeJapaneseIMEExceptShiftJIS**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-Allows the users to restrict character code range of conversion by setting the character filter.
-
-
The following list shows the supported values:
-
-- 0 (default) – No characters are filtered.
-- 1 – All characters except ShiftJIS are filtered.
-
-
-
-
-**TimeLanguageSettings/AllowSet24HourClock**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- 2 |
- 2 |
-
-
-
-
-
-Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
-
-
The following list shows the supported values:
-
-- 0 – Locale default setting.
-- 1 (default) – Set 24 hour clock.
-
-
-
-
-**Update/ActiveHoursEnd**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- 1 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
-
-> [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
-
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
-
The default is 17 (5 PM).
-
-
-
-
-**Update/ActiveHoursMaxRange**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
-  2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
-
-
Supported values are 8-18.
-
-
The default value is 18 (hours).
-
-
-
-
-**Update/ActiveHoursStart**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- 1 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
-
-> [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
-
-
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
-
The default value is 8 (8 AM).
-
-
-
-
-**Update/AutoRestartDeadlinePeriodInDays**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
-
-
Supported values are 2-30 days.
-
-
The default value is 7 days.
-
-
-
-
-**Update/AllowAutoUpdate**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
-
-
Supported operations are Get and Replace.
-
-
The following list shows the supported values:
-
-- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
-- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
-- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
-- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
-- 5 – Turn off automatic updates.
-
-> [!IMPORTANT]
-> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
-
-
-
If the policy is not configured, end-users get the default behavior (Auto install and restart).
-
-
-
-
-**Update/AllowMUUpdateService**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-
-Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed or not configured.
-- 1 – Allowed. Accepts updates received through Microsoft Update.
-
-
-
-
-**Update/AllowNonMicrosoftSignedUpdate**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
-
-
Supported operations are Get and Replace.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
-- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
-
-
This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
-
-
-
-
-**Update/AllowUpdateService**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
-
-
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
-
-
Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
-
-
The following list shows the supported values:
-
-- 0 – Update service is not allowed.
-- 1 (default) – Update service is allowed.
-
-> [!NOTE]
-> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
-
-
-
-
-**Update/AutoRestartNotificationSchedule**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
-
-
Supported values are 15, 30, 60, 120, and 240 (minutes).
-
-
The default value is 15 (minutes).
-
-
-
-
-**Update/AutoRestartRequiredNotificationDismissal**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
-
-
The following list shows the supported values:
-
-- 1 (default) – Auto Dismissal.
-- 2 – User Dismissal.
-
-
-
-
-**Update/BranchReadinessLevel**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- 1 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
-
-
The following list shows the supported values:
-
-- 16 (default) – User gets all applicable upgrades from Current Branch (CB).
-- 32 – User gets upgrades from Current Branch for Business (CBB).
-
-
-
-
-**Update/DeferFeatureUpdatesPeriodInDays**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
-
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
-
-
Supported values are 0-365 days.
-
-> [!IMPORTANT]
-> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
-
-
-
-
-**Update/DeferQualityUpdatesPeriodInDays**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- 1 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
-
-
Supported values are 0-30.
-
-
-
-
-**Update/DeferUpdatePeriod**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
-
-
-Allows IT Admins to specify update delays for up to 4 weeks.
-
-
Supported values are 0-4, which refers to the number of weeks to defer updates.
-
-
In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
-
-- Update/RequireDeferUpgrade must be set to 1
-- System/AllowTelemetry must be set to 1 or higher
-
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
-
-
-
-
-
-
-
-
-
-
-
-OS upgrade |
-8 months |
-1 month |
-Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
-
-
-Update |
-1 month |
-1 week |
-
-Note
-If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
-
-
-- Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
-- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
-- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
-- Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
-- Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
-- Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
-- Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
-- Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
- |
-
-
-Other/cannot defer |
-No deferral |
-No deferral |
-Any update category not specifically enumerated above falls into this category.
-Definition Update - E0789628-CE08-4437-BE74-2495B842F43B |
-
-
-
-
-
-
-
-**Update/DeferUpgradePeriod**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
->
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-
-
-Allows IT Admins to specify additional upgrade delays for up to 8 months.
-
-
Supported values are 0-8, which refers to the number of months to defer upgrades.
-
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
-
-
-**Update/DetectionFrequency**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
-
-
-
-
-**Update/EngagedRestartDeadline**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
-
-
Supported values are 2-30 days.
-
-
The default value is 0 days (not specified).
-
-
-
-
-**Update/EngagedRestartSnoozeSchedule**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
-
-
Supported values are 1-3 days.
-
-
The default value is 3 days.
-
-
-
-
-**Update/EngagedRestartTransitionSchedule**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-
-
Supported values are 2-30 days.
-
-
The default value is 7 days.
-
-
-
-
-**Update/ExcludeWUDriversInQualityUpdate**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
-Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-
-
The following list shows the supported values:
-
-- 0 (default) – Allow Windows Update drivers.
-- 1 – Exclude Windows Update drivers.
-
-
-
-
-**Update/FillEmptyContentUrls**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
-
-> [!NOTE]
-> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
-
-
The following list shows the supported values:
-
-- 0 (default) – Disabled.
-- 1 – Enabled.
-
-
-
-
-**Update/IgnoreMOAppDownloadLimit**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
-
-> [!WARNING]
-> Setting this policy might cause devices to incur costs from MO operators.
-
-
The following list shows the supported values:
-
-- 0 (default) – Do not ignore MO download limit for apps and their updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
-
-
To validate this policy:
-
-1. Enable the policy ensure the device is on a cellular network.
-2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
-
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
-
-
-
-
-**Update/IgnoreMOUpdateDownloadLimit**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
-
-> [!WARNING]
-> Setting this policy might cause devices to incur costs from MO operators.
-
-
The following list shows the supported values:
-
-- 0 (default) – Do not ignore MO download limit for OS updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
-
-
To validate this policy:
-
-1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
-
-
-
-
-**Update/PauseDeferrals**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
-
-Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
-
-
The following list shows the supported values:
-
-- 0 (default) – Deferrals are not paused.
-- 1 – Deferrals are paused.
-
-
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
-
-
-**Update/PauseFeatureUpdates**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
-
-
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
-
-
The following list shows the supported values:
-
-- 0 (default) – Feature Updates are not paused.
-- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
-
-
-
-
-**Update/PauseFeatureUpdatesStartTime**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
-
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
-
-
-
-
-**Update/PauseQualityUpdates**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- 1 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
-
-
The following list shows the supported values:
-
-- 0 (default) – Quality Updates are not paused.
-- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
-
-
-
-
-**Update/PauseQualityUpdatesStartTime**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
-
-
Value type is string. Supported operations are Add, Get, Delete, and Replace.
-
-
-
-
-**Update/RequireDeferUpgrade**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
-
-Allows the IT admin to set a device to CBB train.
-
-
The following list shows the supported values:
-
-- 0 (default) – User gets upgrades from Current Branch.
-- 1 – User gets upgrades from Current Branch for Business.
-
-
-
-
-**Update/RequireUpdateApproval**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-> [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
-
-Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
-
-
Supported operations are Get and Replace.
-
-
The following list shows the supported values:
-
-- 0 – Not configured. The device installs all applicable updates.
-- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
-
-
-
-
-**Update/ScheduleImminentRestartWarning**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
-
-
Supported values are 15, 30, or 60 (minutes).
-
-
The default value is 15 (minutes).
-
-
-
-
-**Update/ScheduleRestartWarning**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
-
-
Supported values are 2, 4, 8, 12, or 24 (hours).
-
-
The default value is 4 (hours).
-
-
-
-
-**Update/ScheduledInstallDay**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Enables the IT admin to schedule the day of the update installation.
-
-
The data type is a integer.
-
-
Supported operations are Add, Delete, Get, and Replace.
-
-
The following list shows the supported values:
-
-- 0 (default) – Every day
-- 1 – Sunday
-- 2 – Monday
-- 3 – Tuesday
-- 4 – Wednesday
-- 5 – Thursday
-- 6 – Friday
-- 7 – Saturday
-
-
-
-
-**Update/ScheduledInstallEveryWeek**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
-
-
-
-
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
-
-- 0 - no update in the schedule
-- 1 - update is scheduled every week
-
-
-
-
-
-**Update/ScheduledInstallFirstWeek**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
-
-
-
-
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
-
-- 0 - no update in the schedule
-- 1 - update is scheduled every first week of the month
-
-
-
-
-
-**Update/ScheduledInstallFourthWeek**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
-
-
-
-
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
-
-- 0 - no update in the schedule
-- 1 - update is scheduled every fourth week of the month
-
-
-
-
-
-**Update/ScheduledInstallSecondWeek**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
-
-
-
-
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
-
-- 0 - no update in the schedule
-- 1 - update is scheduled every second week of the month
-
-
-
-
-
-**Update/ScheduledInstallThirdWeek**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 3 |
- 3 |
- 3 |
- 3 |
- 3 |
- |
-
-
-
-
-
-Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
-
-- 0 - no update in the schedule
-- 1 - update is scheduled every third week of the month
-
-
-
-
-
-**Update/ScheduledInstallTime**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Enables the IT admin to schedule the time of the update installation.
-
-
The data type is a integer.
-
-
Supported operations are Add, Delete, Get, and Replace.
-
-
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
-
-
The default value is 3.
-
-
-
-
-**Update/SetAutoRestartNotificationDisable**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
-
-
The following list shows the supported values:
-
-- 0 (default) – Enabled
-- 1 – Disabled
-
-
-
-
-**Update/SetEDURestart**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
-
-
The following list shows the supported values:
-
-- 0 - not configured
-- 1 - configured
-
-
-
-
-**Update/UpdateServiceUrl**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-> [!Important]
-> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
-
-Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
-
-
Supported operations are Get and Replace.
-
-
The following list shows the supported values:
-
-- Not configured. The device checks for updates from Microsoft Update.
-- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
-
-Example
-
-``` syntax
-
- $CmdID$
- -
-
- chr
- text/plain
-
-
- ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
-
- http://abcd-srv:8530
-
-
-```
-
-
-
-
-**Update/UpdateServiceUrlAlternate**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-> **Note** This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
-Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-
-
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
-
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
-
-
Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
-
-> [!Note]
-> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
-> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
-> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
-
-
-
-
-**WiFi/AllowWiFiHotSpotReporting**
-
-
-
This policy has been deprecated.
-
-
-
-
-**Wifi/AllowAutoConnectToWiFiSenseHotspots**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allow or disallow the device to automatically connect to Wi-Fi hotspots.
-
-
The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Wifi/AllowInternetSharing**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allow or disallow internet sharing.
-
-
The following list shows the supported values:
-
-- 0 – Do not allow the use of Internet Sharing.
-- 1 (default) – Allow the use of Internet Sharing.
-
-
Most restricted value is 0.
-
-
-
-
-**Wifi/AllowManualWiFiConfiguration**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
-
-
The following list shows the supported values:
-
-- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed.
-- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.
-
-
Most restricted value is 0.
-
-> [!NOTE]
-> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
-
-
-
-
-**Wifi/AllowWiFi**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Allow or disallow WiFi connection.
-
-
The following list shows the supported values:
-
-- 0 – WiFi connection is not allowed.
-- 1 (default) – WiFi connection is allowed.
-
-
Most restricted value is 0.
-
-
-
-
-**Wifi/AllowWiFiDirect**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. Allow WiFi Direct connection..
-
-- 0 - WiFi Direct connection is not allowed.
-- 1 - WiFi Direct connection is allowed.
-
-
-
-
-**Wifi/WLANScanMode**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- |
- |
- |
- |
- |
- |
-
-
-
-
-
-Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
-
-
Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
-
-
The default value is 0.
-
-
Supported operations are Add, Delete, Get, and Replace.
-
-
-
-
-**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
-
-
Value type is bool. The following list shows the supported values:
-
-- 0 - app suggestions are not allowed.
-- 1 (default) -allow app suggestions.
-
-
-
-
-**WindowsInkWorkspace/AllowWindowsInkWorkspace**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
-
-
Value type is int. The following list shows the supported values:
-
-- 0 - access to ink workspace is disabled. The feature is turned off.
-- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
-- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
-
-
-
-
-**WindowsLogon/DisableLockScreenAppNotifications**
-
-
-This policy setting allows you to prevent app notifications from appearing on the lock screen.
-
-If you enable this policy setting, no app notifications are displayed on the lock screen.
-
-If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
-
-
-
-ADMX Info:
-- GP english name: *Turn off app notifications on the lock screen*
-- GP name: *DisableLockScreenAppNotifications*
-- GP path: *System/Logon*
-- GP ADMX file name: *logon.admx*
-
-
-
-
-**WindowsLogon/DontDisplayNetworkSelectionUI**
-
-
-This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
-
-If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
-
-If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
-
-
-
-ADMX Info:
-- GP english name: *Do not display network selection UI*
-- GP name: *DontDisplayNetworkSelectionUI*
-- GP path: *System/Logon*
-- GP ADMX file name: *logon.admx*
-
-
-
-
-**WindowsLogon/HideFastUserSwitching**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- |
- 2 |
- 2 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
-
-
Value type is bool. The following list shows the supported values:
-
-- 0 (default) - Diabled (visible).
-- 1 - Enabled (hidden).
-
-
To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Verify that the Switch account button in Start is hidden.
-
-
-
-
-**WirelessDisplay/AllowProjectionFromPC**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
-
-- 0 - your PC cannot discover or project to other devices.
-- 1 - your PC can discover and project to other devices
-
-
-
-
-**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
-
-- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct.
-- 1 - your PC can discover and project to other devices over infrastructure.
-
-
-
-
-**WirelessDisplay/AllowProjectionToPC**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
-
-
If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-
-
Value type is integer. Valid value:
-
-- 0 - projection to PC is not allowed. Always off and the user cannot enable it.
-- 1 (default) - projection to PC is allowed. Enabled only above the lock screen.
-
-
-
-
-**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
- 2 |
-
-
-
-
-
-Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
-
-- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct.
-- 1 - your PC is discoverable and other devices can project to it over infrastructure.
-
-
-
-
-**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
-
-
-
Added in Windows 10, version 1703.
-
-
-
-
-**WirelessDisplay/RequirePinForPairing**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- MobileEnterprise |
-
-
- |
- 1 |
- |
- 1 |
- 1 |
- |
- |
-
-
-
-
-
-Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
-
-
If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-
-
Value type is integer. Valid value:
-
-- 0 (default) - PIN is not required.
-- 1 - PIN is required.
-
-
-
-
-
-Footnote:
-
-- 1 - Added in Windows 10, version 1607.
-- 2 - Added in Windows 10, version 1703.
-
-
+## Policies
+
+### AboveLock policies
+
+
+ -
+ AboveLock/AllowActionCenterNotifications
+
+ -
+ AboveLock/AllowCortanaAboveLock
+
+ -
+ AboveLock/AllowToasts
+
+
+
+### Accounts policies
+
+
+ -
+ Accounts/AllowAddingNonMicrosoftAccountsManually
+
+ -
+ Accounts/AllowMicrosoftAccountConnection
+
+ -
+ Accounts/AllowMicrosoftAccountSignInAssistant
+
+ -
+ Accounts/DomainNamesForEmailSync
+
+
+
+### ActiveXControls policies
+
+
+ -
+ ActiveXControls/ApprovedInstallationSites
+
+
+
+### ApplicationDefaults policies
+
+
+ -
+ ApplicationDefaults/DefaultAssociationsConfiguration
+
+
+
+### ApplicationManagement policies
+
+
+ -
+ ApplicationManagement/AllowAllTrustedApps
+
+ -
+ ApplicationManagement/AllowAppStoreAutoUpdate
+
+ -
+ ApplicationManagement/AllowDeveloperUnlock
+
+ -
+ ApplicationManagement/AllowGameDVR
+
+ -
+ ApplicationManagement/AllowSharedUserAppData
+
+ -
+ ApplicationManagement/AllowStore
+
+ -
+ ApplicationManagement/ApplicationRestrictions
+
+ -
+ ApplicationManagement/DisableStoreOriginatedApps
+
+ -
+ ApplicationManagement/RequirePrivateStoreOnly
+
+ -
+ ApplicationManagement/RestrictAppDataToSystemVolume
+
+ -
+ ApplicationManagement/RestrictAppToSystemVolume
+
+
+
+### AppVirtualization policies
+
+
+ -
+ AppVirtualization/AllowAppVClient
+
+ -
+ AppVirtualization/AllowDynamicVirtualization
+
+ -
+ AppVirtualization/AllowPackageCleanup
+
+ -
+ AppVirtualization/AllowPackageScripts
+
+ -
+ AppVirtualization/AllowPublishingRefreshUX
+
+ -
+ AppVirtualization/AllowReportingServer
+
+ -
+ AppVirtualization/AllowRoamingFileExclusions
+
+ -
+ AppVirtualization/AllowRoamingRegistryExclusions
+
+ -
+ AppVirtualization/AllowStreamingAutoload
+
+ -
+ AppVirtualization/ClientCoexistenceAllowMigrationmode
+
+ -
+ AppVirtualization/IntegrationAllowRootGlobal
+
+ -
+ AppVirtualization/IntegrationAllowRootUser
+
+ -
+ AppVirtualization/PublishingAllowServer1
+
+ -
+ AppVirtualization/PublishingAllowServer2
+
+ -
+ AppVirtualization/PublishingAllowServer3
+
+ -
+ AppVirtualization/PublishingAllowServer4
+
+ -
+ AppVirtualization/PublishingAllowServer5
+
+ -
+ AppVirtualization/StreamingAllowCertificateFilterForClient_SSL
+
+ -
+ AppVirtualization/StreamingAllowHighCostLaunch
+
+ -
+ AppVirtualization/StreamingAllowLocationProvider
+
+ -
+ AppVirtualization/StreamingAllowPackageInstallationRoot
+
+ -
+ AppVirtualization/StreamingAllowPackageSourceRoot
+
+ -
+ AppVirtualization/StreamingAllowReestablishmentInterval
+
+ -
+ AppVirtualization/StreamingAllowReestablishmentRetries
+
+ -
+ AppVirtualization/StreamingSharedContentStoreMode
+
+ -
+ AppVirtualization/StreamingSupportBranchCache
+
+ -
+ AppVirtualization/StreamingVerifyCertificateRevocationList
+
+ -
+ AppVirtualization/VirtualComponentsAllowList
+
+
+
+### AttachmentManager policies
+
+
+ -
+ AttachmentManager/DoNotPreserveZoneInformation
+
+ -
+ AttachmentManager/HideZoneInfoMechanism
+
+ -
+ AttachmentManager/NotifyAntivirusPrograms
+
+
+
+### Authentication policies
+
+
+ -
+ Authentication/AllowEAPCertSSO
+
+ -
+ Authentication/AllowFastReconnect
+
+ -
+ Authentication/AllowSecondaryAuthenticationDevice
+
+
+
+### Autoplay policies
+
+
+ -
+ Autoplay/DisallowAutoplayForNonVolumeDevices
+
+ -
+ Autoplay/SetDefaultAutoRunBehavior
+
+ -
+ Autoplay/TurnOffAutoPlay
+
+
+
+### Bitlocker policies
+
+
+ -
+ Bitlocker/EncryptionMethod
+
+
+
+### Bluetooth policies
+
+
+ -
+ Bluetooth/AllowAdvertising
+
+ -
+ Bluetooth/AllowDiscoverableMode
+
+ -
+ Bluetooth/AllowPrepairing
+
+ -
+ Bluetooth/LocalDeviceName
+
+ -
+ Bluetooth/ServicesAllowedList
+
+
+
+### Browser policies
+
+
+ -
+ Browser/AllowAddressBarDropdown
+
+ -
+ Browser/AllowAutofill
+
+ -
+ Browser/AllowBrowser
+
+ -
+ Browser/AllowCookies
+
+ -
+ Browser/AllowDeveloperTools
+
+ -
+ Browser/AllowDoNotTrack
+
+ -
+ Browser/AllowExtensions
+
+ -
+ Browser/AllowFlash
+
+ -
+ Browser/AllowFlashClickToRun
+
+ -
+ Browser/AllowInPrivate
+
+ -
+ Browser/AllowMicrosoftCompatibilityList
+
+ -
+ Browser/AllowPasswordManager
+
+ -
+
+
+ -
+ Browser/AllowSearchEngineCustomization
+
+ -
+ Browser/AllowSearchSuggestionsinAddressBar
+
+ -
+ Browser/AllowSmartScreen
+
+ -
+ Browser/ClearBrowsingDataOnExit
+
+ -
+ Browser/ConfigureAdditionalSearchEngines
+
+ -
+ Browser/DisableLockdownOfStartPages
+
+ -
+ Browser/EnterpriseModeSiteList
+
+ -
+ Browser/EnterpriseSiteListServiceUrl
+
+ -
+ Browser/FirstRunURL
+
+ -
+ Browser/HomePages
+
+ -
+ Browser/PreventAccessToAboutFlagsInMicrosoftEdge
+
+ -
+ Browser/PreventFirstRunPage
+
+ -
+ Browser/PreventLiveTileDataCollection
+
+ -
+ Browser/PreventSmartScreenPromptOverride
+
+ -
+ Browser/PreventSmartScreenPromptOverrideForFiles
+
+ -
+ Browser/PreventUsingLocalHostIPAddressForWebRTC
+
+ -
+ Browser/SendIntranetTraffictoInternetExplorer
+
+ -
+ Browser/SetDefaultSearchEngine
+
+ -
+ Browser/ShowMessageWhenOpeningSitesInInternetExplorer
+
+ -
+ Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
+
+
+
+### Camera policies
+
+
+ -
+ Camera/AllowCamera
+
+
+
+### Cellular policies
+
+
+ -
+ Cellular/ShowAppCellularAccessUI
+
+
+
+### Connectivity policies
+
+
+ -
+ Connectivity/AllowBluetooth
+
+ -
+ Connectivity/AllowCellularData
+
+ -
+ Connectivity/AllowCellularDataRoaming
+
+ -
+ Connectivity/AllowConnectedDevices
+
+ -
+ Connectivity/AllowNFC
+
+ -
+ Connectivity/AllowUSBConnection
+
+ -
+ Connectivity/AllowVPNOverCellular
+
+ -
+ Connectivity/AllowVPNRoamingOverCellular
+
+ -
+ Connectivity/DiablePrintingOverHTTP
+
+ -
+ Connectivity/DisableDownloadingOfPrintDriversOverHTTP
+
+ -
+ Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
+
+ -
+ Connectivity/HardenedUNCPaths
+
+ -
+ Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge
+
+
+
+### CredentialProviders policies
+
+
+ -
+ CredentialProviders/AllowPINLogon
+
+ -
+ CredentialProviders/BlockPicturePassword
+
+ -
+ CredentialProviders/EnableWindowsAutoPilotResetCredentials
+
+
+
+### CredentialsUI policies
+
+
+ -
+ CredentialsUI/DisablePasswordReveal
+
+ -
+ CredentialsUI/EnumerateAdministrators
+
+
+
+### Cryptography policies
+
+
+ -
+ Cryptography/AllowFipsAlgorithmPolicy
+
+ -
+ Cryptography/TLSCipherSuites
+
+
+
+### DataProtection policies
+
+
+ -
+ DataProtection/AllowDirectMemoryAccess
+
+ -
+ DataProtection/LegacySelectiveWipeID
+
+
+
+### DataUsage policies
+
+
+ -
+ DataUsage/SetCost3G
+
+ -
+ DataUsage/SetCost4G
+
+
+
+### Defender policies
+
+
+ -
+ Defender/AllowArchiveScanning
+
+ -
+ Defender/AllowBehaviorMonitoring
+
+ -
+ Defender/AllowCloudProtection
+
+ -
+ Defender/AllowEmailScanning
+
+ -
+ Defender/AllowFullScanOnMappedNetworkDrives
+
+ -
+ Defender/AllowFullScanRemovableDriveScanning
+
+ -
+ Defender/AllowIOAVProtection
+
+ -
+ Defender/AllowIntrusionPreventionSystem
+
+ -
+ Defender/AllowOnAccessProtection
+
+ -
+ Defender/AllowRealtimeMonitoring
+
+ -
+ Defender/AllowScanningNetworkFiles
+
+ -
+ Defender/AllowScriptScanning
+
+ -
+ Defender/AllowUserUIAccess
+
+ -
+ Defender/AttackSurfaceReductionOnlyExclusions
+
+ -
+ Defender/AttackSurfaceReductionRules
+
+ -
+ Defender/AvgCPULoadFactor
+
+ -
+ Defender/CloudBlockLevel
+
+ -
+ Defender/CloudExtendedTimeout
+
+ -
+ Defender/DaysToRetainCleanedMalware
+
+ -
+ Defender/EnableGuardMyFolders
+
+ -
+ Defender/EnableNetworkProtection
+
+ -
+ Defender/ExcludedExtensions
+
+ -
+ Defender/ExcludedPaths
+
+ -
+ Defender/ExcludedProcesses
+
+ -
+ Defender/GuardedFoldersAllowedApplications
+
+ -
+ Defender/GuardedFoldersList
+
+ -
+ Defender/PUAProtection
+
+ -
+ Defender/RealTimeScanDirection
+
+ -
+ Defender/ScanParameter
+
+ -
+ Defender/ScheduleQuickScanTime
+
+ -
+ Defender/ScheduleScanDay
+
+ -
+ Defender/ScheduleScanTime
+
+ -
+ Defender/SignatureUpdateInterval
+
+ -
+ Defender/SubmitSamplesConsent
+
+ -
+ Defender/ThreatSeverityDefaultAction
+
+
+
+### DeliveryOptimization policies
+
+
+ -
+ DeliveryOptimization/DOAbsoluteMaxCacheSize
+
+ -
+ DeliveryOptimization/DOAllowVPNPeerCaching
+
+ -
+ DeliveryOptimization/DODownloadMode
+
+ -
+ DeliveryOptimization/DOGroupId
+
+ -
+ DeliveryOptimization/DOMaxCacheAge
+
+ -
+ DeliveryOptimization/DOMaxCacheSize
+
+ -
+ DeliveryOptimization/DOMaxDownloadBandwidth
+
+ -
+ DeliveryOptimization/DOMaxUploadBandwidth
+
+ -
+ DeliveryOptimization/DOMinBackgroundQos
+
+ -
+ DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
+
+ -
+ DeliveryOptimization/DOMinDiskSizeAllowedToPeer
+
+ -
+ DeliveryOptimization/DOMinFileSizeToCache
+
+ -
+ DeliveryOptimization/DOMinRAMAllowedToPeer
+
+ -
+ DeliveryOptimization/DOModifyCacheDrive
+
+ -
+ DeliveryOptimization/DOMonthlyUploadDataCap
+
+ -
+ DeliveryOptimization/DOPercentageMaxDownloadBandwidth
+
+
+
+### Desktop policies
+
+
+ -
+ Desktop/PreventUserRedirectionOfProfileFolders
+
+
+
+### DeviceGuard policies
+
+
+ -
+ DeviceGuard/EnableVirtualizationBasedSecurity
+
+ -
+ DeviceGuard/LsaCfgFlags
+
+ -
+ DeviceGuard/RequirePlatformSecurityFeatures
+
+
+
+### DeviceInstallation policies
+
+
+ -
+ DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
+
+ -
+ DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
+
+
+
+### DeviceLock policies
+
+
+ -
+ DeviceLock/AllowIdleReturnWithoutPassword
+
+ -
+ DeviceLock/AllowScreenTimeoutWhileLockedUserConfig
+
+ -
+ DeviceLock/AllowSimpleDevicePassword
+
+ -
+ DeviceLock/AlphanumericDevicePasswordRequired
+
+ -
+ DeviceLock/DevicePasswordEnabled
+
+ -
+ DeviceLock/DevicePasswordExpiration
+
+ -
+ DeviceLock/DevicePasswordHistory
+
+ -
+ DeviceLock/EnforceLockScreenAndLogonImage
+
+ -
+ DeviceLock/EnforceLockScreenProvider
+
+ -
+ DeviceLock/MaxDevicePasswordFailedAttempts
+
+ -
+ DeviceLock/MaxInactivityTimeDeviceLock
+
+ -
+ DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
+
+ -
+ DeviceLock/MinDevicePasswordComplexCharacters
+
+ -
+ DeviceLock/MinDevicePasswordLength
+
+ -
+ DeviceLock/PreventLockScreenSlideShow
+
+ -
+ DeviceLock/ScreenTimeoutWhileLocked
+
+
+
+### Display policies
+
+
+ -
+ Display/TurnOffGdiDPIScalingForApps
+
+ -
+ Display/TurnOnGdiDPIScalingForApps
+
+
+
+### EnterpriseCloudPrint policies
+
+
+ -
+ EnterpriseCloudPrint/CloudPrintOAuthAuthority
+
+ -
+ EnterpriseCloudPrint/CloudPrintOAuthClientId
+
+ -
+ EnterpriseCloudPrint/CloudPrintResourceId
+
+ -
+ EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
+
+ -
+ EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
+
+ -
+ EnterpriseCloudPrint/MopriaDiscoveryResourceId
+
+
+
+### ErrorReporting policies
+
+
+ -
+ ErrorReporting/CustomizeConsentSettings
+
+ -
+ ErrorReporting/DisableWindowsErrorReporting
+
+ -
+ ErrorReporting/DisplayErrorNotification
+
+ -
+ ErrorReporting/DoNotSendAdditionalData
+
+ -
+ ErrorReporting/PreventCriticalErrorDisplay
+
+
+
+### EventLogService policies
+
+
+ -
+ EventLogService/ControlEventLogBehavior
+
+ -
+ EventLogService/SpecifyMaximumFileSizeApplicationLog
+
+ -
+ EventLogService/SpecifyMaximumFileSizeSecurityLog
+
+ -
+ EventLogService/SpecifyMaximumFileSizeSystemLog
+
+
+
+### Experience policies
+
+
+ -
+ Experience/AllowCopyPaste
+
+ -
+ Experience/AllowCortana
+
+ -
+ Experience/AllowDeviceDiscovery
+
+ -
+ Experience/AllowManualMDMUnenrollment
+
+ -
+ Experience/AllowSIMErrorDialogPromptWhenNoSIM
+
+ -
+ Experience/AllowScreenCapture
+
+ -
+ Experience/AllowSyncMySettings
+
+ -
+ Experience/AllowTailoredExperiencesWithDiagnosticData
+
+ -
+ Experience/AllowTaskSwitcher
+
+ -
+ Experience/AllowThirdPartySuggestionsInWindowsSpotlight
+
+ -
+ Experience/AllowVoiceRecording
+
+ -
+ Experience/AllowWindowsConsumerFeatures
+
+ -
+ Experience/AllowWindowsSpotlight
+
+ -
+ Experience/AllowWindowsSpotlightOnActionCenter
+
+ -
+ Experience/AllowWindowsSpotlightWindowsWelcomeExperience
+
+ -
+ Experience/AllowWindowsTips
+
+ -
+ Experience/ConfigureWindowsSpotlightOnLockScreen
+
+ -
+ Experience/DoNotShowFeedbackNotifications
+
+
+
+### Games policies
+
+
+ -
+ Games/AllowAdvancedGamingServices
+
+
+
+### InternetExplorer policies
+
+
+ -
+ InternetExplorer/AddSearchProvider
+
+ -
+ InternetExplorer/AllowActiveXFiltering
+
+ -
+ InternetExplorer/AllowAddOnList
+
+ -
+ InternetExplorer/AllowAutoComplete
+
+ -
+ InternetExplorer/AllowCertificateAddressMismatchWarning
+
+ -
+ InternetExplorer/AllowDeletingBrowsingHistoryOnExit
+
+ -
+ InternetExplorer/AllowEnhancedProtectedMode
+
+ -
+
+
+ -
+ InternetExplorer/AllowEnterpriseModeSiteList
+
+ -
+ InternetExplorer/AllowFallbackToSSL3
+
+ -
+ InternetExplorer/AllowInternetExplorer7PolicyList
+
+ -
+ InternetExplorer/AllowInternetExplorerStandardsMode
+
+ -
+ InternetExplorer/AllowInternetZoneTemplate
+
+ -
+ InternetExplorer/AllowIntranetZoneTemplate
+
+ -
+ InternetExplorer/AllowLocalMachineZoneTemplate
+
+ -
+ InternetExplorer/AllowLockedDownInternetZoneTemplate
+
+ -
+ InternetExplorer/AllowLockedDownIntranetZoneTemplate
+
+ -
+ InternetExplorer/AllowLockedDownLocalMachineZoneTemplate
+
+ -
+ InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate
+
+ -
+ InternetExplorer/AllowOneWordEntry
+
+ -
+ InternetExplorer/AllowSiteToZoneAssignmentList
+
+ -
+ InternetExplorer/AllowSoftwareWhenSignatureIsInvalid
+
+ -
+ InternetExplorer/AllowSuggestedSites
+
+ -
+ InternetExplorer/AllowTrustedSitesZoneTemplate
+
+ -
+ InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate
+
+ -
+ InternetExplorer/AllowsRestrictedSitesZoneTemplate
+
+ -
+ InternetExplorer/CheckServerCertificateRevocation
+
+ -
+ InternetExplorer/CheckSignaturesOnDownloadedPrograms
+
+ -
+ InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses
+
+ -
+ InternetExplorer/DisableAdobeFlash
+
+ -
+ InternetExplorer/DisableBlockingOfOutdatedActiveXControls
+
+ -
+ InternetExplorer/DisableBypassOfSmartScreenWarnings
+
+ -
+ InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles
+
+ -
+ InternetExplorer/DisableConfiguringHistory
+
+ -
+ InternetExplorer/DisableCrashDetection
+
+ -
+ InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation
+
+ -
+ InternetExplorer/DisableDeletingUserVisitedWebsites
+
+ -
+ InternetExplorer/DisableEnclosureDownloading
+
+ -
+ InternetExplorer/DisableEncryptionSupport
+
+ -
+ InternetExplorer/DisableFirstRunWizard
+
+ -
+ InternetExplorer/DisableFlipAheadFeature
+
+ -
+ InternetExplorer/DisableHomePageChange
+
+ -
+ InternetExplorer/DisableIgnoringCertificateErrors
+
+ -
+ InternetExplorer/DisableInPrivateBrowsing
+
+ -
+ InternetExplorer/DisableProcessesInEnhancedProtectedMode
+
+ -
+ InternetExplorer/DisableProxyChange
+
+ -
+ InternetExplorer/DisableSearchProviderChange
+
+ -
+ InternetExplorer/DisableSecondaryHomePageChange
+
+ -
+ InternetExplorer/DisableSecuritySettingsCheck
+
+ -
+ InternetExplorer/DisableUpdateCheck
+
+ -
+ InternetExplorer/DoNotAllowActiveXControlsInProtectedMode
+
+ -
+ InternetExplorer/DoNotAllowUsersToAddSites
+
+ -
+ InternetExplorer/DoNotAllowUsersToChangePolicies
+
+ -
+ InternetExplorer/DoNotBlockOutdatedActiveXControls
+
+ -
+ InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains
+
+ -
+ InternetExplorer/IncludeAllLocalSites
+
+ -
+ InternetExplorer/IncludeAllNetworkPaths
+
+ -
+ InternetExplorer/InternetZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/InternetZoneAllowCopyPasteViaScript
+
+ -
+ InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles
+
+ -
+ InternetExplorer/InternetZoneAllowFontDownloads
+
+ -
+ InternetExplorer/InternetZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG
+
+ -
+ InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls
+
+ -
+ InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl
+
+ -
+ InternetExplorer/InternetZoneAllowScriptInitiatedWindows
+
+ -
+ InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls
+
+ -
+ InternetExplorer/InternetZoneAllowScriptlets
+
+ -
+ InternetExplorer/InternetZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript
+
+ -
+ InternetExplorer/InternetZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1
+
+ -
+ InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2
+
+ -
+ InternetExplorer/InternetZoneDownloadSignedActiveXControls
+
+ -
+ InternetExplorer/InternetZoneDownloadUnsignedActiveXControls
+
+ -
+ InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter
+
+ -
+ InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
+
+ -
+ InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows
+
+ -
+ InternetExplorer/InternetZoneEnableMIMESniffing
+
+ -
+ InternetExplorer/InternetZoneEnableProtectedMode
+
+ -
+ InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer
+
+ -
+ InternetExplorer/InternetZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
+
+ -
+ InternetExplorer/InternetZoneJavaPermissionsWRONG1
+
+ -
+ InternetExplorer/InternetZoneJavaPermissionsWRONG2
+
+ -
+ InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME
+
+ -
+ InternetExplorer/InternetZoneLogonOptions
+
+ -
+ InternetExplorer/InternetZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode
+
+ -
+ InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
+
+ -
+ InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles
+
+ -
+ InternetExplorer/InternetZoneUsePopupBlocker
+
+ -
+ InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone
+
+ -
+ InternetExplorer/IntranetZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/IntranetZoneAllowFontDownloads
+
+ -
+ InternetExplorer/IntranetZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/IntranetZoneAllowScriptlets
+
+ -
+ InternetExplorer/IntranetZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/IntranetZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/IntranetZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/LocalMachineZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/LocalMachineZoneAllowFontDownloads
+
+ -
+ InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/LocalMachineZoneAllowScriptlets
+
+ -
+ InternetExplorer/LocalMachineZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/LocalMachineZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls
+
+ -
+ InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/LocalMachineZoneJavaPermissions
+
+ -
+ InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/LockedDownInternetZoneAllowFontDownloads
+
+ -
+ InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/LockedDownInternetZoneAllowScriptlets
+
+ -
+ InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/LockedDownInternetZoneJavaPermissions
+
+ -
+ InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/LockedDownIntranetZoneAllowFontDownloads
+
+ -
+ InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/LockedDownIntranetZoneAllowScriptlets
+
+ -
+ InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneJavaPermissions
+
+ -
+ InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions
+
+ -
+ InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions
+
+ -
+ InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses
+
+ -
+ InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses
+
+ -
+ InternetExplorer/NotificationBarInternetExplorerProcesses
+
+ -
+ InternetExplorer/PreventManagingSmartScreenFilter
+
+ -
+ InternetExplorer/PreventPerUserInstallationOfActiveXControls
+
+ -
+ InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses
+
+ -
+ InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls
+
+ -
+ InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses
+
+ -
+ InternetExplorer/RestrictFileDownloadInternetExplorerProcesses
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowActiveScripting
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowFileDownloads
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowFontDownloads
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowScriptlets
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript
+
+ -
+ InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
+
+ -
+ InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls
+
+ -
+ InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls
+
+ -
+ InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
+
+ -
+ InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows
+
+ -
+ InternetExplorer/RestrictedSitesZoneEnableMIMESniffing
+
+ -
+ InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer
+
+ -
+ InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/RestrictedSitesZoneJavaPermissions
+
+ -
+ InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME
+
+ -
+ InternetExplorer/RestrictedSitesZoneLogonOptions
+
+ -
+ InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains
+
+ -
+ InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins
+
+ -
+ InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
+
+ -
+ InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting
+
+ -
+ InternetExplorer/RestrictedSitesZoneWRONG
+
+ -
+ InternetExplorer/RestrictedSitesZoneWRONG2
+
+ -
+ InternetExplorer/RestrictedSitesZoneWRONG3
+
+ -
+ InternetExplorer/RestrictedSitesZoneWRONG4
+
+ -
+ InternetExplorer/RestrictedSitesZoneWRONG5
+
+ -
+ InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses
+
+ -
+ InternetExplorer/SearchProviderList
+
+ -
+ InternetExplorer/SecurityZonesUseOnlyMachineSettings
+
+ -
+ InternetExplorer/SpecifyUseOfActiveXInstallerService
+
+ -
+ InternetExplorer/TrustedSitesZoneAllowAccessToDataSources
+
+ -
+ InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls
+
+ -
+ InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads
+
+ -
+ InternetExplorer/TrustedSitesZoneAllowFontDownloads
+
+ -
+ InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites
+
+ -
+ InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents
+
+ -
+ InternetExplorer/TrustedSitesZoneAllowScriptlets
+
+ -
+ InternetExplorer/TrustedSitesZoneAllowSmartScreenIE
+
+ -
+ InternetExplorer/TrustedSitesZoneAllowUserDataPersistence
+
+ -
+ InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls
+
+ -
+ InternetExplorer/TrustedSitesZoneJavaPermissions
+
+ -
+ InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames
+
+ -
+ InternetExplorer/TrustedSitesZoneWRONG1
+
+ -
+ InternetExplorer/TrustedSitesZoneWRONG2
+
+
+
+### Kerberos policies
+
+
+ -
+ Kerberos/AllowForestSearchOrder
+
+ -
+ Kerberos/KerberosClientSupportsClaimsCompoundArmor
+
+ -
+ Kerberos/RequireKerberosArmoring
+
+ -
+ Kerberos/RequireStrictKDCValidation
+
+ -
+ Kerberos/SetMaximumContextTokenSize
+
+
+
+### Licensing policies
+
+
+ -
+ Licensing/AllowWindowsEntitlementReactivation
+
+ -
+ Licensing/DisallowKMSClientOnlineAVSValidation
+
+
+
+### Location policies
+
+
+ -
+ Location/EnableLocation
+
+
+
+### LockDown policies
+
+
+ -
+ LockDown/AllowEdgeSwipe
+
+
+
+### Maps policies
+
+
+ -
+ Maps/AllowOfflineMapsDownloadOverMeteredConnection
+
+ -
+ Maps/EnableOfflineMapsAutoUpdate
+
+
+
+### Messaging policies
+
+
+ -
+ Messaging/AllowMMS
+
+ -
+ Messaging/AllowMessageSync
+
+ -
+ Messaging/AllowRCS
+
+
+
+### NetworkIsolation policies
+
+
+ -
+ NetworkIsolation/EnterpriseCloudResources
+
+ -
+ NetworkIsolation/EnterpriseIPRange
+
+ -
+ NetworkIsolation/EnterpriseIPRangesAreAuthoritative
+
+ -
+ NetworkIsolation/EnterpriseInternalProxyServers
+
+ -
+ NetworkIsolation/EnterpriseNetworkDomainNames
+
+ -
+ NetworkIsolation/EnterpriseProxyServers
+
+ -
+ NetworkIsolation/EnterpriseProxyServersAreAuthoritative
+
+ -
+ NetworkIsolation/NeutralResources
+
+
+
+### Notifications policies
+
+
+ -
+ Notifications/DisallowNotificationMirroring
+
+
+
+### Power policies
+
+
+ -
+ Power/AllowStandbyWhenSleepingPluggedIn
+
+ -
+ Power/DisplayOffTimeoutOnBattery
+
+ -
+ Power/DisplayOffTimeoutPluggedIn
+
+ -
+ Power/HibernateTimeoutOnBattery
+
+ -
+ Power/HibernateTimeoutPluggedIn
+
+ -
+ Power/RequirePasswordWhenComputerWakesOnBattery
+
+ -
+ Power/RequirePasswordWhenComputerWakesPluggedIn
+
+ -
+ Power/StandbyTimeoutOnBattery
+
+ -
+ Power/StandbyTimeoutPluggedIn
+
+
+
+### Printers policies
+
+
+ -
+ Printers/PointAndPrintRestrictions
+
+ -
+ Printers/PointAndPrintRestrictions_User
+
+ -
+ Printers/PublishPrinters
+
+
+
+### Privacy policies
+
+
+ -
+ Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
+
+ -
+ Privacy/AllowInputPersonalization
+
+ -
+ Privacy/DisableAdvertisingId
+
+ -
+ Privacy/LetAppsAccessAccountInfo
+
+ -
+ Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessCalendar
+
+ -
+ Privacy/LetAppsAccessCalendar_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessCalendar_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessCallHistory
+
+ -
+ Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessCamera
+
+ -
+ Privacy/LetAppsAccessCamera_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessCamera_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessCamera_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessContacts
+
+ -
+ Privacy/LetAppsAccessContacts_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessContacts_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessContacts_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessEmail
+
+ -
+ Privacy/LetAppsAccessEmail_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessEmail_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessEmail_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessLocation
+
+ -
+ Privacy/LetAppsAccessLocation_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessLocation_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessLocation_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessMessaging
+
+ -
+ Privacy/LetAppsAccessMessaging_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessMessaging_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessMicrophone
+
+ -
+ Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessMotion
+
+ -
+ Privacy/LetAppsAccessMotion_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessMotion_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessMotion_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessNotifications
+
+ -
+ Privacy/LetAppsAccessNotifications_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessNotifications_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessPhone
+
+ -
+ Privacy/LetAppsAccessPhone_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessPhone_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessPhone_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessRadios
+
+ -
+ Privacy/LetAppsAccessRadios_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessRadios_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessRadios_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessTasks
+
+ -
+ Privacy/LetAppsAccessTasks_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessTasks_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsAccessTrustedDevices
+
+ -
+ Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsGetDiagnosticInfo
+
+ -
+ Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsRunInBackground
+
+ -
+ Privacy/LetAppsRunInBackground_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsRunInBackground_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
+
+ -
+ Privacy/LetAppsSyncWithDevices
+
+ -
+ Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps
+
+ -
+ Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps
+
+ -
+ Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps
+
+
+
+### RemoteAssistance policies
+
+
+ -
+ RemoteAssistance/CustomizeWarningMessages
+
+ -
+ RemoteAssistance/SessionLogging
+
+ -
+ RemoteAssistance/SolicitedRemoteAssistance
+
+ -
+ RemoteAssistance/UnsolicitedRemoteAssistance
+
+
+
+### RemoteDesktopServices policies
+
+
+ -
+ RemoteDesktopServices/AllowUsersToConnectRemotely
+
+ -
+ RemoteDesktopServices/ClientConnectionEncryptionLevel
+
+ -
+ RemoteDesktopServices/DoNotAllowDriveRedirection
+
+ -
+ RemoteDesktopServices/DoNotAllowPasswordSaving
+
+ -
+ RemoteDesktopServices/PromptForPasswordUponConnection
+
+ -
+ RemoteDesktopServices/RequireSecureRPCCommunication
+
+
+
+### RemoteManagement policies
+
+
+ -
+ RemoteManagement/AllowBasicAuthentication_Client
+
+ -
+ RemoteManagement/AllowBasicAuthentication_Service
+
+ -
+ RemoteManagement/AllowCredSSPAuthenticationClient
+
+ -
+ RemoteManagement/AllowCredSSPAuthenticationService
+
+ -
+ RemoteManagement/AllowRemoteServerManagement
+
+ -
+ RemoteManagement/AllowUnencryptedTraffic_Client
+
+ -
+ RemoteManagement/AllowUnencryptedTraffic_Service
+
+ -
+ RemoteManagement/DisallowDigestAuthentication
+
+ -
+ RemoteManagement/DisallowNegotiateAuthenticationClient
+
+ -
+ RemoteManagement/DisallowNegotiateAuthenticationService
+
+ -
+ RemoteManagement/DisallowStoringOfRunAsCredentials
+
+ -
+ RemoteManagement/SpecifyChannelBindingTokenHardeningLevel
+
+ -
+ RemoteManagement/TrustedHosts
+
+ -
+ RemoteManagement/TurnOnCompatibilityHTTPListener
+
+ -
+ RemoteManagement/TurnOnCompatibilityHTTPSListener
+
+
+
+### RemoteProcedureCall policies
+
+
+ -
+ RemoteProcedureCall/RPCEndpointMapperClientAuthentication
+
+ -
+ RemoteProcedureCall/RestrictUnauthenticatedRPCClients
+
+
+
+### RemoteShell policies
+
+
+ -
+ RemoteShell/AllowRemoteShellAccess
+
+ -
+ RemoteShell/MaxConcurrentUsers
+
+ -
+ RemoteShell/SpecifyIdleTimeout
+
+ -
+ RemoteShell/SpecifyMaxMemory
+
+ -
+ RemoteShell/SpecifyMaxProcesses
+
+ -
+ RemoteShell/SpecifyMaxRemoteShells
+
+ -
+ RemoteShell/SpecifyShellTimeout
+
+
+
+### Search policies
+
+
+ -
+ Search/AllowIndexingEncryptedStoresOrItems
+
+ -
+ Search/AllowSearchToUseLocation
+
+ -
+ Search/AllowUsingDiacritics
+
+ -
+ Search/AlwaysUseAutoLangDetection
+
+ -
+ Search/DisableBackoff
+
+ -
+ Search/DisableRemovableDriveIndexing
+
+ -
+ Search/PreventIndexingLowDiskSpaceMB
+
+ -
+ Search/PreventRemoteQueries
+
+ -
+ Search/SafeSearchPermissions
+
+
+
+### Security policies
+
+
+ -
+ Security/AllowAddProvisioningPackage
+
+ -
+ Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices
+
+ -
+ Security/AllowManualRootCertificateInstallation
+
+ -
+ Security/AllowRemoveProvisioningPackage
+
+ -
+ Security/AntiTheftMode
+
+ -
+ Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
+
+ -
+ Security/RequireDeviceEncryption
+
+ -
+ Security/RequireProvisioningPackageSignature
+
+ -
+ Security/RequireRetrieveHealthCertificateOnBoot
+
+
+
+### Settings policies
+
+
+ -
+ Settings/AllowAutoPlay
+
+ -
+ Settings/AllowDataSense
+
+ -
+ Settings/AllowDateTime
+
+ -
+ Settings/AllowEditDeviceName
+
+ -
+ Settings/AllowLanguage
+
+ -
+ Settings/AllowPowerSleep
+
+ -
+ Settings/AllowRegion
+
+ -
+ Settings/AllowSignInOptions
+
+ -
+ Settings/AllowVPN
+
+ -
+ Settings/AllowWorkplace
+
+ -
+ Settings/AllowYourAccount
+
+ -
+ Settings/ConfigureTaskbarCalendar
+
+ -
+ Settings/PageVisibilityList
+
+
+
+### SmartScreen policies
+
+
+ -
+ SmartScreen/EnableAppInstallControl
+
+ -
+ SmartScreen/EnableSmartScreenInShell
+
+ -
+ SmartScreen/PreventOverrideForFilesInShell
+
+
+
+### Speech policies
+
+
+ -
+ Speech/AllowSpeechModelUpdate
+
+
+
+### Start policies
+
+
+ -
+ Start/AllowPinnedFolderDocuments
+
+ -
+ Start/AllowPinnedFolderDownloads
+
+ -
+ Start/AllowPinnedFolderFileExplorer
+
+ -
+ Start/AllowPinnedFolderHomeGroup
+
+ -
+ Start/AllowPinnedFolderMusic
+
+ -
+ Start/AllowPinnedFolderNetwork
+
+ -
+ Start/AllowPinnedFolderPersonalFolder
+
+ -
+ Start/AllowPinnedFolderPictures
+
+ -
+ Start/AllowPinnedFolderSettings
+
+ -
+ Start/AllowPinnedFolderVideos
+
+ -
+ Start/ForceStartSize
+
+ -
+ Start/HideAppList
+
+ -
+ Start/HideChangeAccountSettings
+
+ -
+ Start/HideFrequentlyUsedApps
+
+ -
+ Start/HideHibernate
+
+ -
+ Start/HideLock
+
+ -
+ Start/HidePowerButton
+
+ -
+ Start/HideRecentJumplists
+
+ -
+ Start/HideRecentlyAddedApps
+
+ -
+ Start/HideRestart
+
+ -
+ Start/HideShutDown
+
+ -
+ Start/HideSignOut
+
+ -
+ Start/HideSleep
+
+ -
+ Start/HideSwitchAccount
+
+ -
+ Start/HideUserTile
+
+ -
+ Start/ImportEdgeAssets
+
+ -
+ Start/NoPinningToTaskbar
+
+ -
+ Start/StartLayout
+
+
+
+### Storage policies
+
+
+ -
+ Storage/EnhancedStorageDevices
+
+
+
+### System policies
+
+
+ -
+ System/AllowBuildPreview
+
+ -
+ System/AllowEmbeddedMode
+
+ -
+ System/AllowExperimentation
+
+ -
+ System/AllowFontProviders
+
+ -
+ System/AllowLocation
+
+ -
+ System/AllowStorageCard
+
+ -
+ System/AllowTelemetry
+
+ -
+ System/AllowUserToResetPhone
+
+ -
+ System/BootStartDriverInitialization
+
+ -
+ System/DisableOneDriveFileSync
+
+ -
+ System/DisableSystemRestore
+
+ -
+ System/TelemetryProxy
+
+
+
+### TextInput policies
+
+
+ -
+ TextInput/AllowIMELogging
+
+ -
+ TextInput/AllowIMENetworkAccess
+
+ -
+ TextInput/AllowInputPanel
+
+ -
+ TextInput/AllowJapaneseIMESurrogatePairCharacters
+
+ -
+ TextInput/AllowJapaneseIVSCharacters
+
+ -
+ TextInput/AllowJapaneseNonPublishingStandardGlyph
+
+ -
+ TextInput/AllowJapaneseUserDictionary
+
+ -
+ TextInput/AllowKeyboardTextSuggestions
+
+ -
+ TextInput/AllowKoreanExtendedHanja
+
+ -
+ TextInput/AllowLanguageFeaturesUninstall
+
+ -
+ TextInput/ExcludeJapaneseIMEExceptJIS0208
+
+ -
+ TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC
+
+ -
+ TextInput/ExcludeJapaneseIMEExceptShiftJIS
+
+
+
+### TimeLanguageSettings policies
+
+
+ -
+ TimeLanguageSettings/AllowSet24HourClock
+
+
+
+### Update policies
+
+
+ -
+ Update/ActiveHoursEnd
+
+ -
+ Update/ActiveHoursMaxRange
+
+ -
+
+
+ -
+ Update/AllowAutoUpdate
+
+ -
+ Update/AllowMUUpdateService
+
+ -
+ Update/AllowNonMicrosoftSignedUpdate
+
+ -
+ Update/AllowUpdateService
+
+ -
+ Update/AutoRestartDeadlinePeriodInDays
+
+ -
+ Update/AutoRestartNotificationSchedule
+
+ -
+ Update/AutoRestartRequiredNotificationDismissal
+
+ -
+ Update/BranchReadinessLevel
+
+ -
+ Update/DeferFeatureUpdatesPeriodInDays
+
+ -
+ Update/DeferQualityUpdatesPeriodInDays
+
+ -
+ Update/DeferUpdatePeriod
+
+ -
+ Update/DeferUpgradePeriod
+
+ -
+ Update/DetectionFrequency
+
+ -
+ Update/EngagedRestartDeadline
+
+ -
+ Update/EngagedRestartSnoozeSchedule
+
+ -
+ Update/EngagedRestartTransitionSchedule
+
+ -
+ Update/ExcludeWUDriversInQualityUpdate
+
+ -
+ Update/FillEmptyContentUrls
+
+ -
+ Update/IgnoreMOAppDownloadLimit
+
+ -
+ Update/IgnoreMOUpdateDownloadLimit
+
+ -
+ Update/PauseDeferrals
+
+ -
+ Update/PauseFeatureUpdates
+
+ -
+ Update/PauseFeatureUpdatesStartTime
+
+ -
+ Update/PauseQualityUpdates
+
+ -
+ Update/PauseQualityUpdatesStartTime
+
+ -
+ Update/RequireDeferUpgrade
+
+ -
+ Update/RequireUpdateApproval
+
+ -
+ Update/ScheduleImminentRestartWarning
+
+ -
+ Update/ScheduleRestartWarning
+
+ -
+ Update/ScheduledInstallDay
+
+ -
+ Update/ScheduledInstallEveryWeek
+
+ -
+ Update/ScheduledInstallFirstWeek
+
+ -
+ Update/ScheduledInstallFourthWeek
+
+ -
+ Update/ScheduledInstallSecondWeek
+
+ -
+ Update/ScheduledInstallThirdWeek
+
+ -
+ Update/ScheduledInstallTime
+
+ -
+ Update/SetAutoRestartNotificationDisable
+
+ -
+ Update/SetEDURestart
+
+ -
+ Update/UpdateServiceUrl
+
+ -
+ Update/UpdateServiceUrlAlternate
+
+
+
+### Wifi policies
+
+
+ -
+ WiFi/AllowWiFiHotSpotReporting
+
+ -
+ Wifi/AllowAutoConnectToWiFiSenseHotspots
+
+ -
+ Wifi/AllowInternetSharing
+
+ -
+ Wifi/AllowManualWiFiConfiguration
+
+ -
+ Wifi/AllowWiFi
+
+ -
+ Wifi/AllowWiFiDirect
+
+ -
+ Wifi/WLANScanMode
+
+
+
+### WindowsInkWorkspace policies
+
+
+ -
+ WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
+
+ -
+ WindowsInkWorkspace/AllowWindowsInkWorkspace
+
+
+
+### WindowsLogon policies
+
+
+ -
+ WindowsLogon/DisableLockScreenAppNotifications
+
+ -
+ WindowsLogon/DontDisplayNetworkSelectionUI
+
+ -
+ WindowsLogon/HideFastUserSwitching
+
+
+
+### WirelessDisplay policies
+
+
+ -
+ WirelessDisplay/AllowProjectionFromPC
+
+ -
+ WirelessDisplay/AllowProjectionFromPCOverInfrastructure
+
+ -
+ WirelessDisplay/AllowProjectionToPC
+
+ -
+ WirelessDisplay/AllowProjectionToPCOverInfrastructure
+
+ -
+ WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
+
+ -
+ WirelessDisplay/RequirePinForPairing
+
+
+
+
+## ADMX backed policies
+
+- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
+- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
+- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
+- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
+- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
+- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
+- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
+- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
+- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
+- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
+- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
+- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
+- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
+- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
+- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
+- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
+- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
+- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
+- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient_ssl)
+- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
+- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
+- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
+- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
+- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
+- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
+- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
+- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
+- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
+- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
+- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
+- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
+- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
+- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
+- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
+- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
+- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#None)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#None)
+- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#None)
+- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#None)
+- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
+- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#None)
+- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
+- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
+- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
+- [DataUsage/SetCost3G](./policy-csp-datausage.md#datausage-setcost3g)
+- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
+- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
+- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
+- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
+- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
+- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
+- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
+- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
+- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
+- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
+- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
+- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
+- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
+- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
+- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
+- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
+- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
+- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
+- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
+- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
+- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
+- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
+- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
+- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
+- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
+- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
+- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
+- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
+- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
+- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
+- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
+- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
+- [InternetExplorer/DisableBlockingOfOutdatedActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
+- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
+- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
+- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
+- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
+- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
+- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
+- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
+- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
+- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
+- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
+- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
+- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
+- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
+- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
+- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
+- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
+- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
+- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
+- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
+- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
+- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
+- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneJavaPermissionsWRONG1](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneJavaPermissionsWRONG2](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
+- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
+- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
+- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
+- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
+- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
+- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
+- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
+- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
+- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
+- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
+- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
+- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
+- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
+- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
+- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
+- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
+- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneWRONG](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneWRONG2](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneWRONG3](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneWRONG4](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/RestrictedSitesZoneWRONG5](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
+- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
+- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
+- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
+- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
+- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
+- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
+- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
+- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
+- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
+- [InternetExplorer/TrustedSitesZoneWRONG1](./policy-csp-internetexplorer.md#None)
+- [InternetExplorer/TrustedSitesZoneWRONG2](./policy-csp-internetexplorer.md#None)
+- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
+- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
+- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
+- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
+- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
+- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
+- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
+- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
+- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
+- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
+- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
+- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
+- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
+- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
+- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
+- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions_user)
+- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
+- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
+- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
+- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
+- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
+- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
+- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
+- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
+- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
+- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
+- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
+- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#None)
+- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#None)
+- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
+- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
+- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#None)
+- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#None)
+- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#None)
+- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#None)
+- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#None)
+- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#None)
+- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#None)
+- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
+- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
+- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
+- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
+- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
-## Policies Supported by IoT Core
+## Policies supported by IoT Core
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
@@ -21240,6 +3160,9 @@ Footnote:
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
+- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)
+- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
@@ -21272,27 +3195,27 @@ Footnote:
-## Policies supported by Windows Holographic for Business
+## Policies supported by Windows Holographic for Business
-- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
-- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
-- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
-- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
-- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-- [Browser/AllowCookies](#browser-allowcookies)
-- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
-- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
-- [Browser/AllowPopups](#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
-- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
-- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
-- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
-- [Experience/AllowCortana](#experience-allowcortana)
-- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
+- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
+- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
+- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
+- [Experience/AllowCortana](#experience-allowcortana)
+- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
@@ -21302,94 +3225,95 @@ Footnote:
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+- [Settings/AllowDateTime](#settings-allowdatetime)
+- [Settings/AllowVPN](#settings-allowvpn)
- [System/AllowFontProviders](#system-allowfontproviders)
-- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
-- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
-- [Settings/AllowDateTime](#settings-allowdatetime)
-- [Settings/AllowVPN](#settings-allowvpn)
-- [System/AllowLocation](#system-allowlocation)
-- [System/AllowTelemetry](#system-allowtelemetry)
-- [Update/AllowAutoUpdate](#update-allowautoupdate)
-- [Update/AllowUpdateService](#update-allowupdateservice)
-- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
-- [Update/RequireUpdateApproval](#update-requireupdateapproval)
-- [Update/UpdateServiceUrl](#update-updateserviceurl)
+- [System/AllowLocation](#system-allowlocation)
+- [System/AllowTelemetry](#system-allowtelemetry)
+- [Update/AllowAutoUpdate](#update-allowautoupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](#update-requireupdateapproval)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
-## Policies supported by Microsoft Surface Hub
+## Policies supported by Microsoft Surface Hub
- [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration)
-- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
-- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
-- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
-- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
-- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)
-- [Browser/AllowCookies](#browser-allowcookies)
-- [Browser/AllowDeveloperTools](#browser-allowdevelopertools)
-- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDeveloperTools](#browser-allowdevelopertools)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)
-- [Browser/AllowPopups](#browser-allowpopups)
-- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)
- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)
- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)
-- [Browser/HomePages](#browser-homepages)
+- [Browser/HomePages](#browser-homepages)
- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)
-- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)
-- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
+- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)
+- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)
-- [Camera/AllowCamera](#camera-allowcamera)
-- [ConfigOperations/ADMXInstall](#configoperations-admxinstall)
-- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Camera/AllowCamera](#camera-allowcamera)
+- [ConfigOperations/ADMXInstall](#None)
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)
-- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
-- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
-- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
-- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
-- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
-- [Defender/AllowEmailScanning](#defender-allowemailscanning)
-- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
-- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
-- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
-- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
-- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
-- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
-- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
-- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
-- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
-- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
-- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
-- [Defender/ExcludedExtensions](#defender-excludedextensions)
-- [Defender/ExcludedPaths](#defender-excludedpaths)
-- [Defender/ExcludedProcesses](#defender-excludedprocesses)
-- [Defender/PUAProtection](#defender-puaprotection)
-- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
-- [Defender/ScanParameter](#defender-scanparameter)
-- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
-- [Defender/ScheduleScanDay](#defender-schedulescanday)
-- [Defender/ScheduleScanTime](#defender-schedulescantime)
-- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
-- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
-- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
-- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
-- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)
+- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
+- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
+- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
+- [Defender/AllowEmailScanning](#defender-allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
+- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
+- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
+- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
+- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
+- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
+- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
+- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
+- [Defender/ExcludedExtensions](#defender-excludedextensions)
+- [Defender/ExcludedPaths](#defender-excludedpaths)
+- [Defender/ExcludedProcesses](#defender-excludedprocesses)
+- [Defender/PUAProtection](#defender-puaprotection)
+- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
+- [Defender/ScanParameter](#defender-scanparameter)
+- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
+- [Defender/ScheduleScanDay](#defender-schedulescanday)
+- [Defender/ScheduleScanTime](#defender-schedulescantime)
+- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
+- [DeviceGuard/AllowKernelControlFlowGuard](#None)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@@ -21398,40 +3322,41 @@ Footnote:
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
-- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
-- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
-- [System/AllowFontProviders](#system-allowfontproviders)
-- [System/AllowLocation](#system-allowlocation)
-- [System/AllowTelemetry](#system-allowtelemetry)
-- [TextInput/AllowIMELogging](#textinput-allowimelogging)
-- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
-- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
-- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
-- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
-- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
-- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
-- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
-- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
-- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
-- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
-- [TimeLanguageSettings/Set24HourClock](#timelanguagesettings-set24hourclock)
-- [TimeLanguageSettings/SetCountry](#timelanguagesettings-setcountry)
-- [TimeLanguageSettings/SetLanguage](#timelanguagesettings-setlanguage)
-- [Update/AllowAutoUpdate](#update-allowautoupdate)
-- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
+- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [System/AllowLocation](#system-allowlocation)
+- [System/AllowTelemetry](#system-allowtelemetry)
+- [TextInput/AllowIMELogging](#textinput-allowimelogging)
+- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
+- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
+- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
+- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
+- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
+- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
+- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
+- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
+- [TimeLanguageSettings/Set24HourClock](#None)
+- [TimeLanguageSettings/SetCountry](#None)
+- [TimeLanguageSettings/SetLanguage](#None)
+- [Update/AllowAutoUpdate](#update-allowautoupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)
- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)
-- [Update/BranchReadinessLevel](#update-branchreadinesslevel)
-- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)
-- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)
+- [Update/BranchReadinessLevel](#update-branchreadinesslevel)
+- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)
+- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)
- [Update/DetectionFrequency](#update-detectionfrequency)
-- [Update/PauseFeatureUpdates](#update-pausefeatureupdates)
-- [Update/PauseQualityUpdates](#update-pausequalityupdates)
+- [Update/PauseFeatureUpdates](#update-pausefeatureupdates)
+- [Update/PauseQualityUpdates](#update-pausequalityupdates)
- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)
- [Update/ScheduleRestartWarning](#update-schedulerestartwarning)
- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)
-- [Update/UpdateServiceUrl](#update-updateserviceurl)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)
+- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
@@ -21451,6 +3376,7 @@ Footnote:
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
+- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [System/AllowStorageCard](#system-allowstoragecard)
@@ -21459,6 +3385,7 @@ Footnote:
- [Wifi/AllowWiFi](#wifi-allowwifi)
+
## Examples
Set the minimum password length to 4 characters.
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
new file mode 100644
index 0000000000..125546ca2b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -0,0 +1,145 @@
+---
+title: Policy CSP - AboveLock
+description: Policy CSP - AboveLock
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - AboveLock
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## AboveLock policies
+
+
+**AboveLock/AllowActionCenterNotifications**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+Specifies whether to allow Action Center notifications above the device lock screen.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**AboveLock/AllowCortanaAboveLock**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**AboveLock/AllowToasts**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether to allow toast notifications above the device lock screen.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
new file mode 100644
index 0000000000..8e3cbf0a9f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -0,0 +1,186 @@
+---
+title: Policy CSP - Accounts
+description: Policy CSP - Accounts
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Accounts
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Accounts policies
+
+
+**Accounts/AllowAddingNonMicrosoftAccountsManually**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether user is allowed to add non-MSA email accounts.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+> [!NOTE]
+> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md).
+
+
+
+
+**Accounts/AllowMicrosoftAccountConnection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Accounts/AllowMicrosoftAccountSignInAssistant**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
+
+
The following list shows the supported values:
+
+- 0 – Disabled.
+- 1 (default) – Manual start.
+
+
+
+
+**Accounts/DomainNamesForEmailSync**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies a list of the domains that are allowed to sync email on the device.
+
+
The data type is a string.
+
+
The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Accounts policies supported by Windows Holographic for Business
+
+- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
+
+
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
new file mode 100644
index 0000000000..e2cb16c774
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -0,0 +1,74 @@
+---
+title: Policy CSP - ActiveXControls
+description: Policy CSP - ActiveXControls
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - ActiveXControls
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## ActiveXControls policies
+
+
+**ActiveXControls/ApprovedInstallationSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
+
+If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
+
+If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
+
+Note: Wild card characters cannot be used when specifying the host URLs.
+
+
+
+ADMX Info:
+- GP english name: *Approved Installation Sites for ActiveX Controls*
+- GP name: *ApprovedActiveXInstallSites*
+- GP ADMX file name: *ActiveXInstallService.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
new file mode 100644
index 0000000000..bf34e7343f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -0,0 +1,121 @@
+---
+title: Policy CSP - ApplicationDefaults
+description: Policy CSP - ApplicationDefaults
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - ApplicationDefaults
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## ApplicationDefaults policies
+
+
+**ApplicationDefaults/DefaultAssociationsConfiguration**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
+
+
If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
+
+
To create create the SyncML, follow these steps:
+
+- Install a few apps and change your defaults.
+- From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
+- Take the XML output and put it through your favorite base64 encoder app.
+- Paste the base64 encoded XML into the SyncML
+
+
+Here is an example output from the dism default association export command:
+
+``` syntax
+
+
+
+
+
+
+
+Here is the base64 encoded result:
+
+``` syntax
+PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+```
+
+
Here is the SyncMl example:
+
+``` syntax
+
+
+
+
+ 101
+ -
+
+ chr
+ text/plain
+
+
+ ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration
+
+ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+
+
+
+
+
+
+```
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## ApplicationDefaults policies supported by Microsoft Surface Hub
+
+- [ApplicationDefaults/DefaultAssociationsConfiguration](#applicationdefaults-defaultassociationsconfiguration)
+
+
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
new file mode 100644
index 0000000000..805e786817
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -0,0 +1,489 @@
+---
+title: Policy CSP - ApplicationManagement
+description: Policy CSP - ApplicationManagement
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - ApplicationManagement
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## ApplicationManagement policies
+
+
+**ApplicationManagement/AllowAllTrustedApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether non Windows Store apps are allowed.
+
+
The following list shows the supported values:
+
+- 0 – Explicit deny.
+- 1 – Explicit allow unlock.
+- 65535 (default) – Not configured.
+
+
Most restricted value is 0.
+
+
+
+
+**ApplicationManagement/AllowAppStoreAutoUpdate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether automatic update of apps from Windows Store are allowed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**ApplicationManagement/AllowDeveloperUnlock**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether developer unlock is allowed.
+
+
The following list shows the supported values:
+
+- 0 – Explicit deny.
+- 1 – Explicit allow unlock.
+- 65535 (default) – Not configured.
+
+
Most restricted value is 0.
+
+
+
+
+**ApplicationManagement/AllowGameDVR**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+Specifies whether DVR and broadcasting is allowed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**ApplicationManagement/AllowSharedUserAppData**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether multiple users of the same app can share data.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1 – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**ApplicationManagement/AllowStore**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether app store is allowed at the device.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**ApplicationManagement/ApplicationRestrictions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
+
+
+An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md).
+
+> [!NOTE]
+> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
+>
+> Here's additional guidance for the upgrade process:
+>
+> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents).
+> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it.
+> - In the SyncML, you must use lowercase product ID.
+> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error.
+> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
+
+
+
An application that is running may not be immediately terminated.
+
+
Value type is chr.
+
+
Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies.
+
+
+
+
+**ApplicationManagement/DisableStoreOriginatedApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.
+
+
The following list shows the supported values:
+
+- 0 (default) – Enable launch of apps.
+- 1 – Disable launch of apps.
+
+
+
+
+**ApplicationManagement/RequirePrivateStoreOnly**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows disabling of the retail catalog and only enables the Private store.
+
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> - **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy.
+> - **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result.
+
+
+
The following list shows the supported values:
+
+- 0 (default) – Allow both public and Private store.
+- 1 – Only Private store is enabled.
+
+
This is a per user policy.
+
+
Most restricted value is 1.
+
+
+
+
+**ApplicationManagement/RestrictAppDataToSystemVolume**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether application data is restricted to the system drive.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not restricted.
+- 1 – Restricted.
+
+
Most restricted value is 1.
+
+
+
+
+**ApplicationManagement/RestrictAppToSystemVolume**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether the installation of applications is restricted to the system drive.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not restricted.
+- 1 – Restricted.
+
+
Most restricted value is 1.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## ApplicationManagement policies supported by Windows Holographic for Business
+
+- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
+- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
+- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
+
+
+
+## ApplicationManagement policies supported by IoT Core
+
+- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
+
+
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
new file mode 100644
index 0000000000..3aaaa8966e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -0,0 +1,1194 @@
+---
+title: Policy CSP - AppVirtualization
+description: Policy CSP - AppVirtualization
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - AppVirtualization
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## AppVirtualization policies
+
+
+**AppVirtualization/AllowAppVClient**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
+
+
+
+ADMX Info:
+- GP english name: *Enable App-V Client*
+- GP name: *EnableAppV*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/AllowDynamicVirtualization**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
+
+
+
+ADMX Info:
+- GP english name: *Enable Dynamic Virtualization*
+- GP name: *Virtualization_JITVEnable*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/AllowPackageCleanup**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
+
+
+
+ADMX Info:
+- GP english name: *Enable automatic cleanup of unused appv packages*
+- GP name: *PackageManagement_AutoCleanupEnable*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/AllowPackageScripts**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Enables scripts defined in the package manifest of configuration files that should run.
+
+
+
+ADMX Info:
+- GP english name: *Enable Package Scripts*
+- GP name: *Scripting_Enable_Package_Scripts*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/AllowPublishingRefreshUX**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Enables a UX to display to the user when a publishing refresh is performed on the client.
+
+
+
+ADMX Info:
+- GP english name: *Enable Publishing Refresh UX*
+- GP name: *Enable_Publishing_Refresh_UX*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/AllowReportingServer**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Reporting Server URL: Displays the URL of reporting server.
+
+Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM.
+
+Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load.
+
+Repeat reporting for every (days): The periodical interval in days for sending the reporting data.
+
+Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.
+
+Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections.
+
+
+
+ADMX Info:
+- GP english name: *Reporting Server*
+- GP name: *Reporting_Server_Policy*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/AllowRoamingFileExclusions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
+
+
+
+ADMX Info:
+- GP english name: *Roaming File Exclusions*
+- GP name: *Integration_Roaming_File_Exclusions*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/AllowRoamingRegistryExclusions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
+
+
+
+ADMX Info:
+- GP english name: *Roaming Registry Exclusions*
+- GP name: *Integration_Roaming_Registry_Exclusions*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/AllowStreamingAutoload**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies how new packages should be loaded automatically by App-V on a specific computer.
+
+
+
+ADMX Info:
+- GP english name: *Specify what to load in background (aka AutoLoad)*
+- GP name: *Steaming_Autoload*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/ClientCoexistenceAllowMigrationmode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
+
+
+
+ADMX Info:
+- GP english name: *Enable Migration Mode*
+- GP name: *Client_Coexistence_Enable_Migration_mode*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/IntegrationAllowRootGlobal**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
+
+
+
+ADMX Info:
+- GP english name: *Integration Root User*
+- GP name: *Integration_Root_User*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/IntegrationAllowRootUser**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
+
+
+
+ADMX Info:
+- GP english name: *Integration Root Global*
+- GP name: *Integration_Root_Global*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/PublishingAllowServer1**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+
+
+ADMX Info:
+- GP english name: *Publishing Server 1 Settings*
+- GP name: *Publishing_Server1_Policy*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/PublishingAllowServer2**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+
+
+ADMX Info:
+- GP english name: *Publishing Server 2 Settings*
+- GP name: *Publishing_Server2_Policy*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/PublishingAllowServer3**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+
+
+ADMX Info:
+- GP english name: *Publishing Server 3 Settings*
+- GP name: *Publishing_Server3_Policy*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/PublishingAllowServer4**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+
+
+ADMX Info:
+- GP english name: *Publishing Server 4 Settings*
+- GP name: *Publishing_Server4_Policy*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/PublishingAllowServer5**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Publishing Server Display Name: Displays the name of publishing server.
+
+Publishing Server URL: Displays the URL of publishing server.
+
+Global Publishing Refresh: Enables global publishing refresh (Boolean).
+
+Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean).
+
+Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
+
+Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+User Publishing Refresh: Enables user publishing refresh (Boolean).
+
+User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean).
+
+User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
+
+User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31).
+
+
+
+ADMX Info:
+- GP english name: *Publishing Server 5 Settings*
+- GP name: *Publishing_Server5_Policy*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the path to a valid certificate in the certificate store.
+
+
+
+ADMX Info:
+- GP english name: *Certificate Filter For Client SSL*
+- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingAllowHighCostLaunch**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
+
+
+
+ADMX Info:
+- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
+- GP name: *Streaming_Allow_High_Cost_Launch*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingAllowLocationProvider**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
+
+
+
+ADMX Info:
+- GP english name: *Location Provider*
+- GP name: *Streaming_Location_Provider*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingAllowPackageInstallationRoot**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies directory where all new applications and updates will be installed.
+
+
+
+ADMX Info:
+- GP english name: *Package Installation Root*
+- GP name: *Streaming_Package_Installation_Root*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingAllowPackageSourceRoot**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Overrides source location for downloading package content.
+
+
+
+ADMX Info:
+- GP english name: *Package Source Root*
+- GP name: *Streaming_Package_Source_Root*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingAllowReestablishmentInterval**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the number of seconds between attempts to reestablish a dropped session.
+
+
+
+ADMX Info:
+- GP english name: *Reestablishment Interval*
+- GP name: *Streaming_Reestablishment_Interval*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingAllowReestablishmentRetries**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the number of times to retry a dropped session.
+
+
+
+ADMX Info:
+- GP english name: *Reestablishment Retries*
+- GP name: *Streaming_Reestablishment_Retries*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingSharedContentStoreMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies that streamed package contents will be not be saved to the local hard disk.
+
+
+
+ADMX Info:
+- GP english name: *Shared Content Store (SCS) mode*
+- GP name: *Streaming_Shared_Content_Store_Mode*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingSupportBranchCache**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
+
+
+
+ADMX Info:
+- GP english name: *Enable Support for BranchCache*
+- GP name: *Streaming_Support_Branch_Cache*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/StreamingVerifyCertificateRevocationList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Verifies Server certificate revocation status before streaming using HTTPS.
+
+
+
+ADMX Info:
+- GP english name: *Verify certificate revocation list*
+- GP name: *Streaming_Verify_Certificate_Revocation_List*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+**AppVirtualization/VirtualComponentsAllowList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
+
+
+
+ADMX Info:
+- GP english name: *Virtual Component Process Allow List*
+- GP name: *Virtualization_JITVAllowList*
+- GP ADMX file name: *appv.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
new file mode 100644
index 0000000000..16d1409a9a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -0,0 +1,162 @@
+---
+title: Policy CSP - AttachmentManager
+description: Policy CSP - AttachmentManager
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - AttachmentManager
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## AttachmentManager policies
+
+
+**AttachmentManager/DoNotPreserveZoneInformation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
+
+If you enable this policy setting, Windows does not mark file attachments with their zone information.
+
+If you disable this policy setting, Windows marks file attachments with their zone information.
+
+If you do not configure this policy setting, Windows marks file attachments with their zone information.
+
+
+
+ADMX Info:
+- GP english name: *Do not preserve zone information in file attachments*
+- GP name: *AM_MarkZoneOnSavedAtttachments*
+- GP ADMX file name: *AttachmentManager.admx*
+
+
+
+
+**AttachmentManager/HideZoneInfoMechanism**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
+
+If you enable this policy setting, Windows hides the check box and Unblock button.
+
+If you disable this policy setting, Windows shows the check box and Unblock button.
+
+If you do not configure this policy setting, Windows hides the check box and Unblock button.
+
+
+
+ADMX Info:
+- GP english name: *Hide mechanisms to remove zone information*
+- GP name: *AM_RemoveZoneInfo*
+- GP ADMX file name: *AttachmentManager.admx*
+
+
+
+
+**AttachmentManager/NotifyAntivirusPrograms**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
+
+If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
+
+If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
+
+If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
+
+
+
+ADMX Info:
+- GP english name: *Notify antivirus programs when opening attachments*
+- GP name: *AM_CallIOfficeAntiVirus*
+- GP ADMX file name: *AttachmentManager.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
new file mode 100644
index 0000000000..a3abf1e90d
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -0,0 +1,165 @@
+---
+title: Policy CSP - Authentication
+description: Policy CSP - Authentication
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Authentication
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Authentication policies
+
+
+**Authentication/AllowEAPCertSSO**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
+
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> - **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy.
+> - **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result.
+
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Authentication/AllowFastReconnect**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Authentication/AllowSecondaryAuthenticationDevice**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 – Allowed.
+
+
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Authentication policies supported by Windows Holographic for Business
+
+- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
+
+
+
+## Authentication policies supported by IoT Core
+
+- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
+
+
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
new file mode 100644
index 0000000000..94426589fc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -0,0 +1,175 @@
+---
+title: Policy CSP - Autoplay
+description: Policy CSP - Autoplay
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Autoplay
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Autoplay policies
+
+
+**Autoplay/DisallowAutoplayForNonVolumeDevices**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting disallows AutoPlay for MTP devices like cameras or phones.
+
+If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
+
+If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
+
+
+
+ADMX Info:
+- GP english name: *Disallow Autoplay for non-volume devices*
+- GP name: *NoAutoplayfornonVolume*
+- GP ADMX file name: *AutoPlay.admx*
+
+
+
+
+**Autoplay/SetDefaultAutoRunBehavior**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting sets the default behavior for Autorun commands.
+
+Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
+
+Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.
+
+This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.
+
+If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:
+
+a) Completely disable autorun commands, or
+b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.
+
+If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
+
+
+
+ADMX Info:
+- GP english name: *Set the default behavior for AutoRun*
+- GP name: *NoAutorun*
+- GP ADMX file name: *AutoPlay.admx*
+
+
+
+
+**Autoplay/TurnOffAutoPlay**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to turn off the Autoplay feature.
+
+Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
+
+Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.
+
+Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.
+
+If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
+
+This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.
+
+If you disable or do not configure this policy setting, AutoPlay is enabled.
+
+Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
+
+
+
+ADMX Info:
+- GP english name: *Turn off Autoplay*
+- GP name: *Autorun*
+- GP ADMX file name: *AutoPlay.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
new file mode 100644
index 0000000000..c4a361dbf8
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -0,0 +1,71 @@
+---
+title: Policy CSP - Bitlocker
+description: Policy CSP - Bitlocker
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Bitlocker
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Bitlocker policies
+
+
+**Bitlocker/EncryptionMethod**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the BitLocker Drive Encryption method and cipher strength.
+
+> [!NOTE]
+> XTS-AES 128-bit and XTS-AES 256-bit values are only supported on Windows 10 for desktop.
+
+
The following list shows the supported values:
+
+- 3 - AES-CBC 128-bit
+- 4 - AES-CBC 256-bit
+- 6 - XTS-AES 128-bit (Desktop only)
+- 7 - XTS-AES 256-bit (Desktop only)
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
new file mode 100644
index 0000000000..c4f2efa69b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -0,0 +1,241 @@
+---
+title: Policy CSP - Bluetooth
+description: Policy CSP - Bluetooth
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Bluetooth
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Bluetooth policies
+
+
+**Bluetooth/AllowAdvertising**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether the device can send out Bluetooth advertisements.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral.
+- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.
+
+
If this is not set or it is deleted, the default value of 1 (Allow) is used.
+
+
Most restricted value is 0.
+
+
+
+
+**Bluetooth/AllowDiscoverableMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether other Bluetooth-enabled devices can discover the device.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device.
+- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.
+
+
If this is not set or it is deleted, the default value of 1 (Allow) is used.
+
+
Most restricted value is 0.
+
+
+
+
+**Bluetooth/AllowPrepairing**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default)– Allowed.
+
+
+
+
+**Bluetooth/LocalDeviceName**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Sets the local Bluetooth device name.
+
+
If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified.
+
+
If this policy is not set or it is deleted, the default local radio name is used.
+
+
+
+
+**Bluetooth/ServicesAllowedList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
+
+
The default value is an empty string.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Bluetooth policies supported by Windows Holographic for Business
+
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+
+
+
+## Bluetooth policies supported by IoT Core
+
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
+
+
+
+## Bluetooth policies supported by Microsoft Surface Hub
+
+- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
+- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
+- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing)
+- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
+- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist)
+
+
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
new file mode 100644
index 0000000000..ac21e5988b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -0,0 +1,1436 @@
+---
+title: Policy CSP - Browser
+description: Policy CSP - Browser
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Browser
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Browser policies
+
+
+**Browser/AllowAddressBarDropdown**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.
+
+> [!NOTE]
+> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."
+- 1 (default) – Allowed. Address bar drop-down is enabled.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/AllowAutofill**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether autofill on websites is allowed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
To verify AllowAutofill is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Save form entries** is greyed out.
+
+
+
+
+**Browser/AllowBrowser**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
+
+
+Specifies whether the browser is allowed on the device.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator.
+
+
+
+
+**Browser/AllowCookies**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether cookies are allowed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
To verify AllowCookies is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Cookies** is greyed out.
+
+
+
+
+**Browser/AllowDeveloperTools**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/AllowDoNotTrack**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether Do Not Track headers are allowed.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1 – Allowed.
+
+
Most restricted value is 1.
+
+
To verify AllowDoNotTrack is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Send Do Not Track requests** is greyed out.
+
+
+
+
+**Browser/AllowExtensions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Browser/AllowFlash**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Browser/AllowFlashClickToRun**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
+
+
The following list shows the supported values:
+
+- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge.
+- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content.
+
+
+
+
+**Browser/AllowInPrivate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether InPrivate browsing is allowed on corporate networks.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/AllowMicrosoftCompatibilityList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly.
+By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat".
+
+
If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation.
+
+
The following list shows the supported values:
+
+- 0 – Not enabled.
+- 1 (default) – Enabled.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/AllowPasswordManager**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether saving and managing passwords locally on the device is allowed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
To verify AllowPasswordManager is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out.
+
+
+
+
+**Browser/AllowPopups**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether pop-up blocker is allowed or enabled.
+
+
The following list shows the supported values:
+
+- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed.
+- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked.
+
+
Most restricted value is 1.
+
+
To verify AllowPopups is set to 0 (not allowed):
+
+1. Open Microsoft Edge.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Block pop-ups** is greyed out.
+
+
+
+
+**Browser/AllowSearchEngineCustomization**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.
+
+
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/AllowSearchSuggestionsinAddressBar**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether search suggestions are allowed in the address bar.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/AllowSmartScreen**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether Windows Defender SmartScreen is allowed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 1.
+
+
To verify AllowSmartScreen is set to 0 (not allowed):
+
+1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
+2. In the upper-right corner of the browser, click **…**.
+3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
+4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
+
+
+
+
+**Browser/ClearBrowsingDataOnExit**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
+
+
The following list shows the supported values:
+
+- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.
+- 1 – Browsing data is cleared on exit.
+
+
Most restricted value is 1.
+
+
To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
+
+1. Open Microsoft Edge and browse to websites.
+2. Close the Microsoft Edge window.
+3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history.
+
+
+
+
+**Browser/ConfigureAdditionalSearchEngines**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.
+
+
If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/).
+Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.
+
+
If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine.
+
+> [!IMPORTANT]
+> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.
+
+
The following list shows the supported values:
+
+- 0 (default) – Additional search engines are not allowed.
+- 1 – Additional search engines are allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/DisableLockdownOfStartPages**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.
+
+> [!NOTE]
+> This policy has no effect when the Browser/HomePages policy is not configured.
+
+> [!IMPORTANT]
+> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+
+
The following list shows the supported values:
+
+- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.
+- 1 – Disable lockdown of the Start pages and allow users to modify them.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/EnterpriseModeSiteList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Allows the user to specify an URL of an enterprise site list.
+
+
The following list shows the supported values:
+
+- Not configured. The device checks for updates from Microsoft Update.
+- Set to a URL location of the enterprise site list.
+
+
+
+
+**Browser/EnterpriseSiteListServiceUrl**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!IMPORTANT]
+> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
+
+
+
+
+**Browser/FirstRunURL**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time.
+
+
The data type is a string.
+
+
The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”.
+
+
+
+
+**Browser/HomePages**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>"
+
+
Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users.
+
+
Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.
+
+> [!NOTE]
+> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
+
+
+
+
+**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
+
+
The following list shows the supported values:
+
+- 0 (default) – Users can access the about:flags page in Microsoft Edge.
+- 1 – Users can't access the about:flags page in Microsoft Edge.
+
+
+
+
+**Browser/PreventFirstRunPage**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
+
+
The following list shows the supported values:
+
+- 0 (default) – Employees see the First Run webpage.
+- 1 – Employees don't see the First Run webpage.
+
+
Most restricted value is 1.
+
+
+
+
+**Browser/PreventLiveTileDataCollection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
+
+
The following list shows the supported values:
+
+- 0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge.
+- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge.
+
+
Most restricted value is 1.
+
+
+
+
+**Browser/PreventSmartScreenPromptOverride**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
+
+
The following list shows the supported values:
+
+- 0 (default) – Off.
+- 1 – On.
+
+
Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site.
+
+
+
+
+**Browser/PreventSmartScreenPromptOverrideForFiles**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
+
+
The following list shows the supported values:
+
+- 0 (default) – Off.
+- 1 – On.
+
+
+
+
+**Browser/PreventUsingLocalHostIPAddressForWebRTC**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an
user’s localhost IP address while making phone calls using WebRTC.
+
+
The following list shows the supported values:
+
+- 0 (default) – The localhost IP address is shown.
+- 1 – The localhost IP address is hidden.
+
+
+
+
+**Browser/SendIntranetTraffictoInternetExplorer**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Specifies whether to send intranet traffic over to Internet Explorer.
+
+
The following list shows the supported values:
+
+- 0 (default) – Intranet traffic is sent to Internet Explorer.
+- 1 – Intranet traffic is sent to Microsoft Edge.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/SetDefaultSearchEngine**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
+
+
You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.
+
+
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.
+
+> [!IMPORTANT]
+> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy).
+
+
The following list shows the supported values:
+
+- 0 (default) - The default search engine is set to the one specified in App settings.
+- 1 - Allows you to configure the default search engine for your employees.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
+
+
The following list shows the supported values:
+
+- 0 (default) – Interstitial pages are not shown.
+- 1 – Interstitial pages are shown.
+
+
Most restricted value is 0.
+
+
+
+
+**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+>
+> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices.
+
+
The following list shows the supported values:
+
+- 0 (default) – Synchronization is off.
+- 1 – Synchronization is on.
+
+
To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge:
+
+
+- Open Internet Explorer and add some favorites.
+
- Open Microsoft Edge, then select Hub > Favorites.
+
- Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
+
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Browser policies that can be set using Exchange Active Sync (EAS)
+
+- [Browser/AllowBrowser](#browser-allowbrowser)
+
+
+
+## Browser policies supported by Windows Holographic for Business
+
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+
+
+
+## Browser policies supported by IoT Core
+
+- [Browser/AllowAutofill](#browser-allowautofill)
+- [Browser/AllowBrowser](#browser-allowbrowser)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowInPrivate](#browser-allowinprivate)
+- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist)
+- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl)
+- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer)
+
+
+
+## Browser policies supported by Microsoft Surface Hub
+
+- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown)
+- [Browser/AllowCookies](#browser-allowcookies)
+- [Browser/AllowDeveloperTools](#browser-allowdevelopertools)
+- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
+- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist)
+- [Browser/AllowPopups](#browser-allowpopups)
+- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
+- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
+- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit)
+- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines)
+- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages)
+- [Browser/HomePages](#browser-homepages)
+- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection)
+- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride)
+- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles)
+- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine)
+
+
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
new file mode 100644
index 0000000000..052c9a0190
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -0,0 +1,86 @@
+---
+title: Policy CSP - Camera
+description: Policy CSP - Camera
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Camera
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Camera policies
+
+
+**Camera/AllowCamera**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Disables or enables the camera.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Camera policies that can be set using Exchange Active Sync (EAS)
+
+- [Camera/AllowCamera](#camera-allowcamera)
+
+
+
+## Camera policies supported by IoT Core
+
+- [Camera/AllowCamera](#camera-allowcamera)
+
+
+
+## Camera policies supported by Microsoft Surface Hub
+
+- [Camera/AllowCamera](#camera-allowcamera)
+
+
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
new file mode 100644
index 0000000000..2eacb78000
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -0,0 +1,43 @@
+---
+title: Policy CSP - Cellular
+description: Policy CSP - Cellular
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Cellular
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Cellular policies
+
+
+**Cellular/ShowAppCellularAccessUI**
+
+
+
+
+ADMX Info:
+- GP english name: *Set Per-App Cellular Access UI Visibility*
+- GP name: *ShowAppCellularAccessUI*
+- GP ADMX file name: *wwansvc.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
new file mode 100644
index 0000000000..76654d609a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -0,0 +1,485 @@
+---
+title: Policy CSP - Connectivity
+description: Policy CSP - Connectivity
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Connectivity
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Connectivity policies
+
+
+**Connectivity/AllowBluetooth**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows the user to enable Bluetooth or restrict access.
+
+
The following list shows the supported values:
+
+- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on.
+- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
+
+> [!NOTE]
+> This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.
+
+- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.
+
+
If this is not set or it is deleted, the default value of 2 (Allow) is used.
+
+
Most restricted value is 0.
+
+
+
+
+**Connectivity/AllowCellularData**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
+
+
The following list shows the supported values:
+
+- 0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511.
+- 1 (default) – Allow the cellular data channel. The user can turn it off.
+- 2 - Allow the cellular data channel. The user cannot turn it off.
+
+
+
+
+**Connectivity/AllowCellularDataRoaming**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
+
+
The following list shows the supported values:
+
+- 0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511.
+- 1 (default) – Allow cellular data roaming.
+- 2 - Allow cellular data roaming on. The user cannot turn it off.
+
+
Most restricted value is 0.
+
+
To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
+
+
To validate on mobile devices, do the following:
+
+1. Go to Cellular & SIM.
+2. Click on the SIM (next to the signal strength icon) and select **Properties**.
+3. On the Properties page, select **Data roaming options**.
+
+
+
+
+**Connectivity/AllowConnectedDevices**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences.
+
+
The following list shows the supported values:
+
+- 1 (default) - Allow (CDP service available).
+- 0 - Disable (CDP service not available).
+
+
+
+
+**Connectivity/AllowNFC**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Allows or disallows near field communication (NFC) on the device.
+
+
The following list shows the supported values:
+
+- 0 – Do not allow NFC capabilities.
+- 1 (default) – Allow NFC capabilities.
+
+
Most restricted value is 0.
+
+
+
+
+**Connectivity/AllowUSBConnection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging.
+
+
Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Connectivity/AllowVPNOverCellular**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies what type of underlying connections VPN is allowed to use.
+
+
The following list shows the supported values:
+
+- 0 – VPN is not allowed over cellular.
+- 1 (default) – VPN can use any connection, including cellular.
+
+
Most restricted value is 0.
+
+
+
+
+**Connectivity/AllowVPNRoamingOverCellular**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Prevents the device from connecting to VPN when the device roams over cellular networks.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Connectivity/DiablePrintingOverHTTP**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn off printing over HTTP*
+- GP name: *DisableHTTPPrinting_2*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn off downloading of print drivers over HTTP*
+- GP name: *DisableWebPnPDownload_2*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn off Internet download for Web publishing and online ordering wizards*
+- GP name: *ShellPreventWPWDownload_2*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+**Connectivity/HardenedUNCPaths**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting configures secure access to UNC paths.
+
+If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
+
+
+
+ADMX Info:
+- GP english name: *Hardened UNC Paths*
+- GP name: *Pol_HardenedPaths*
+- GP ADMX file name: *networkprovider.admx*
+
+
+
+
+**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
+
+
+
+
+ADMX Info:
+- GP english name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
+- GP name: *NC_AllowNetBridge_NLA*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Connectivity policies that can be set using Exchange Active Sync (EAS)
+
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
+- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
+
+
+
+## Connectivity policies supported by Windows Holographic for Business
+
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+
+
+
+## Connectivity policies supported by IoT Core
+
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming)
+- [Connectivity/AllowNFC](#connectivity-allownfc)
+- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
+- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular)
+- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular)
+- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths)
+
+
+
+## Connectivity policies supported by Microsoft Surface Hub
+
+- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
+- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices)
+
+
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
new file mode 100644
index 0000000000..cc99642fbc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -0,0 +1,162 @@
+---
+title: Policy CSP - CredentialProviders
+description: Policy CSP - CredentialProviders
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - CredentialProviders
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## CredentialProviders policies
+
+
+**CredentialProviders/AllowPINLogon**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
+
+If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
+
+If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
+
+Note: The user's domain password will be cached in the system vault when using this feature.
+
+To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business.
+
+
+
+ADMX Info:
+- GP english name: *Turn on convenience PIN sign-in*
+- GP name: *AllowDomainPINLogon*
+- GP ADMX file name: *credentialproviders.admx*
+
+
+
+
+**CredentialProviders/BlockPicturePassword**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to control whether a domain user can sign in using a picture password.
+
+If you enable this policy setting, a domain user can't set up or sign in with a picture password.
+
+If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
+
+Note that the user's domain password will be cached in the system vault when using this feature.
+
+
+
+ADMX Info:
+- GP english name: *Turn off picture password sign-in*
+- GP name: *BlockDomainPicturePassword*
+- GP ADMX file name: *credentialproviders.admx*
+
+
+
+
+**CredentialProviders/EnableWindowsAutoPilotResetCredentials**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1709. Boolean policy to enable the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. When the policy is enabled, a WNF notification is generated that would schedule a task to update the visibility of the new provider. The admin user is required to authenticate to trigger the refresh on the target device.
+
+The auto pilot reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the auto pilot reset is triggered the devices are for ready for use by information workers or students.
+
+Default value is 0.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## CredentialProviders policies supported by IoT Core
+
+- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
+- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
+
+
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
new file mode 100644
index 0000000000..e51c7be1c8
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -0,0 +1,118 @@
+---
+title: Policy CSP - CredentialsUI
+description: Policy CSP - CredentialsUI
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - CredentialsUI
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## CredentialsUI policies
+
+
+**CredentialsUI/DisablePasswordReveal**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
+
+If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
+
+If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
+
+By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
+
+The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
+
+
+
+ADMX Info:
+- GP english name: *Do not display the password reveal button*
+- GP name: *DisablePasswordReveal*
+- GP ADMX file name: *credui.admx*
+
+
+
+
+**CredentialsUI/EnumerateAdministrators**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
+
+If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
+
+If you disable this policy setting, users will always be required to type a user name and password to elevate.
+
+
+
+ADMX Info:
+- GP english name: *Enumerate administrator accounts on elevation*
+- GP name: *EnumerateAdministrators*
+- GP ADMX file name: *credui.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
new file mode 100644
index 0000000000..b010cfdbb9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -0,0 +1,104 @@
+---
+title: Policy CSP - Cryptography
+description: Policy CSP - Cryptography
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Cryptography
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Cryptography policies
+
+
+**Cryptography/AllowFipsAlgorithmPolicy**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows or disallows the Federal Information Processing Standard (FIPS) policy.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1– Allowed.
+
+
+
+
+**Cryptography/TLSCipherSuites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Cryptography policies supported by Microsoft Surface Hub
+
+- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
+- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
+
+
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
new file mode 100644
index 0000000000..418361ef03
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -0,0 +1,112 @@
+---
+title: Policy CSP - DataProtection
+description: Policy CSP - DataProtection
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - DataProtection
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## DataProtection policies
+
+
+**DataProtection/AllowDirectMemoryAccess**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**DataProtection/LegacySelectiveWipeID**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!IMPORTANT]
+> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
+
+
+Setting used by Windows 8.1 Selective Wipe.
+
+> [!NOTE]
+> This policy is not recommended for use in Windows 10.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## DataProtection policies supported by IoT Core
+
+- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
+
+
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
new file mode 100644
index 0000000000..54687bcb5c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -0,0 +1,126 @@
+---
+title: Policy CSP - DataUsage
+description: Policy CSP - DataUsage
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - DataUsage
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## DataUsage policies
+
+
+**DataUsage/SetCost3G**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting configures the cost of 3G connections on the local machine.
+
+If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
+
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+
+- Variable: This connection is costed on a per byte basis.
+
+If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
+
+
+
+ADMX Info:
+- GP english name: *Set 3G Cost*
+- GP name: *SetCost3G*
+- GP ADMX file name: *wwansvc.admx*
+
+
+
+
+**DataUsage/SetCost4G**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting configures the cost of 4G connections on the local machine.
+
+If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
+
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+
+- Variable: This connection is costed on a per byte basis.
+
+If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
+
+
+
+ADMX Info:
+- GP english name: *Set 4G Cost*
+- GP name: *SetCost4G*
+- GP ADMX file name: *wwansvc.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
new file mode 100644
index 0000000000..9fdbbe8095
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -0,0 +1,1490 @@
+---
+title: Policy CSP - Defender
+description: Policy CSP - Defender
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Defender
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Defender policies
+
+
+**Defender/AllowArchiveScanning**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows scanning of archives.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowBehaviorMonitoring**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows Windows Defender Behavior Monitoring functionality.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowCloudProtection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowEmailScanning**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows scanning of email.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1 – Allowed.
+
+
+
+
+**Defender/AllowFullScanOnMappedNetworkDrives**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows a full scan of mapped network drives.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1 – Allowed.
+
+
+
+
+**Defender/AllowFullScanRemovableDriveScanning**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows a full scan of removable drives.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowIOAVProtection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows Windows Defender IOAVP Protection functionality.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowIntrusionPreventionSystem**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows Windows Defender Intrusion Prevention functionality.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowOnAccessProtection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows Windows Defender On Access Protection functionality.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowRealtimeMonitoring**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows Windows Defender Realtime Monitoring functionality.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowScanningNetworkFiles**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows a scanning of network files.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowScriptScanning**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows Windows Defender Script Scanning functionality.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AllowUserUIAccess**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Defender/AttackSurfaceReductionOnlyExclusions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Added in Windows 10, version 1709. This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe"..
+
+Value type is string.
+
+
+
+
+**Defender/AttackSurfaceReductionRules**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
+
+Value type is string.
+
+
+
+
+**Defender/AvgCPULoadFactor**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Represents the average CPU load factor for the Windows Defender scan (in percent).
+
+
Valid values: 0–100
+
+
The default value is 50.
+
+
+
+
+**Defender/CloudBlockLevel**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Added in Windows 10, version 1709. This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
+
+
If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
+
+p
For more information about specific values that are supported, see the Windows Defender Antivirus documentation site.
+
+> [!Note]
+> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
+
+
Possible options are:
+
+- (0x0) Default windows defender blocking level
+- (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
+- (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance)
+- (0x6) Zero tolerance blocking level – block all unknown executables
+
+
+
+
+**Defender/CloudExtendedTimeout**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+Added in Windows 10, version 1709. This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
+
+
The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds.
+
+
For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
+
+> [!Note]
+> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
+
+
+
+
+**Defender/DaysToRetainCleanedMalware**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Time period (in days) that quarantine items will be stored on the system.
+
+
Valid values: 0–90
+
+
The default value is 0, which keeps items in quarantine, and does not automatically remove them.
+
+
+
+
+**Defender/EnableGuardMyFolders**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
+
+- 0 (default) - Off
+- 1 - Audit mode
+- 2 - Enforcement mode
+
+
+
+
+**Defender/EnableNetworkProtection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+
+
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
+
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
+
If you enable this policy with the ""Audit"" option, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Windows Defender Security Center.
+
If you disable this policy, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Windows Defender Security Center.
+
If you do not configure this policy, network blocking will be disabled by default.
+
+
Valid values:
+
+- 0 (default) - Disabled
+- 1 - Enabled (block mode)
+- 2 - Enabled (audit mode)
+
+
+
+
+**Defender/ExcludedExtensions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
+
+
+
+
+**Defender/ExcludedPaths**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
+
+
+
+
+**Defender/ExcludedProcesses**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows an administrator to specify a list of files opened by processes to ignore during a scan.
+
+> [!IMPORTANT]
+> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path.
+
+
+
Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
+
+
+
+
+**Defender/GuardedFoldersAllowedApplications**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode as the substring separator.
+
+
+
+
+**Defender/GuardedFoldersList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode as the substring separator.
+
+
+
+
+**Defender/PUAProtection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
+
+
The following list shows the supported values:
+
+- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications.
+- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats.
+- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
+
+
+
+
+**Defender/RealTimeScanDirection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Controls which sets of files should be monitored.
+
+> [!NOTE]
+> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files.
+
+
+
The following list shows the supported values:
+
+- 0 (default) – Monitor all files (bi-directional).
+- 1 – Monitor incoming files.
+- 2 – Monitor outgoing files.
+
+
+
+
+**Defender/ScanParameter**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Selects whether to perform a quick scan or full scan.
+
+
The following list shows the supported values:
+
+- 1 (default) – Quick scan
+- 2 – Full scan
+
+
+
+
+**Defender/ScheduleQuickScanTime**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Selects the time of day that the Windows Defender quick scan should run.
+
+> [!NOTE]
+> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+
+
+
Valid values: 0–1380
+
+
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
+
+
The default value is 120
+
+
+
+
+**Defender/ScheduleScanDay**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Selects the day that the Windows Defender scan should run.
+
+> [!NOTE]
+> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+
+
+
The following list shows the supported values:
+
+- 0 (default) – Every day
+- 1 – Monday
+- 2 – Tuesday
+- 3 – Wednesday
+- 4 – Thursday
+- 5 – Friday
+- 6 – Saturday
+- 7 – Sunday
+- 8 – No scheduled scan
+
+
+
+
+**Defender/ScheduleScanTime**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Selects the time of day that the Windows Defender scan should run.
+
+> [!NOTE]
+> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
+
+
+
Valid values: 0–1380.
+
+
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
+
+
The default value is 120.
+
+
+
+
+**Defender/SignatureUpdateInterval**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.
+
+
Valid values: 0–24.
+
+
A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.
+
+
The default value is 8.
+
+
+
+
+**Defender/SubmitSamplesConsent**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
+
+
The following list shows the supported values:
+
+- 0 – Always prompt.
+- 1 (default) – Send safe samples automatically.
+- 2 – Never send.
+- 3 – Send all samples automatically.
+
+
+
+
+**Defender/ThreatSeverityDefaultAction**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop.
+
+
+Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
+
+
This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
+
+
The following list shows the supported values for threat severity levels:
+
+- 1 – Low severity threats
+- 2 – Moderate severity threats
+- 4 – High severity threats
+- 5 – Severe threats
+
+
The following list shows the supported values for possible actions:
+
+- 1 – Clean
+- 2 – Quarantine
+- 3 – Remove
+- 6 – Allow
+- 8 – User defined
+- 10 – Block
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Defender policies supported by Microsoft Surface Hub
+
+- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
+- [Defender/AllowEmailScanning](#defender-allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
+- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
+- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
+- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
+- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
+- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
+- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
+- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
+- [Defender/ExcludedExtensions](#defender-excludedextensions)
+- [Defender/ExcludedPaths](#defender-excludedpaths)
+- [Defender/ExcludedProcesses](#defender-excludedprocesses)
+- [Defender/PUAProtection](#defender-puaprotection)
+- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
+- [Defender/ScanParameter](#defender-scanparameter)
+- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
+- [Defender/ScheduleScanDay](#defender-schedulescanday)
+- [Defender/ScheduleScanTime](#defender-schedulescantime)
+- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
+
+
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
new file mode 100644
index 0000000000..bcd687b62f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -0,0 +1,654 @@
+---
+title: Policy CSP - DeliveryOptimization
+description: Policy CSP - DeliveryOptimization
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - DeliveryOptimization
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## DeliveryOptimization policies
+
+
+**DeliveryOptimization/DOAbsoluteMaxCacheSize**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
+
+
The default value is 10.
+
+
+
+
+**DeliveryOptimization/DOAllowVPNPeerCaching**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+
+
The default value is 0 (FALSE).
+
+
+
+
+**DeliveryOptimization/DODownloadMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
+
+
The following list shows the supported values:
+
+- 0 –HTTP only, no peering.
+- 1 (default) – HTTP blended with peering behind the same NAT.
+- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
+- 3 – HTTP blended with Internet peering.
+- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
+- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
+
+
+
+
+**DeliveryOptimization/DOGroupId**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
+
+> [!NOTE]
+> You must use a GUID as the group ID.
+
+
+
+
+**DeliveryOptimization/DOMaxCacheAge**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
+
+
The default value is 259200 seconds (3 days).
+
+
+
+
+**DeliveryOptimization/DOMaxCacheSize**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
+
+
The default value is 20.
+
+
+
+
+**DeliveryOptimization/DOMaxDownloadBandwidth**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
+
+
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+
+
+
+**DeliveryOptimization/DOMaxUploadBandwidth**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
+
+
The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
+
+
+
+
+**DeliveryOptimization/DOMinBackgroundQos**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
+
+
The default value is 500.
+
+
+
+
+**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
+
+
The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used.
+
+
+
+
+**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB.
+
+> [!NOTE]
+> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
+
+
The default value is 32 GB.
+
+
+
+
+**DeliveryOptimization/DOMinFileSizeToCache**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB.
+
+
The default value is 100 MB.
+
+
+
+
+**DeliveryOptimization/DOMinRAMAllowedToPeer**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
+
+
The default value is 4 GB.
+
+
+
+
+**DeliveryOptimization/DOModifyCacheDrive**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
+
+
By default, %SystemDrive% is used to store the cache.
+
+
+
+
+**DeliveryOptimization/DOMonthlyUploadDataCap**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
+
+
The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
+
+
The default value is 20.
+
+
+
+
+**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
+
+
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## DeliveryOptimization policies supported by Microsoft Surface Hub
+
+- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
+- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
+- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
+- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
+- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
+- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
+- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
+- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
+- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
+- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
+- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
+- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
+- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
+- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
+- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
+
+
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
new file mode 100644
index 0000000000..1a2b0575d1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -0,0 +1,78 @@
+---
+title: Policy CSP - Desktop
+description: Policy CSP - Desktop
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Desktop
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Desktop policies
+
+
+**Desktop/PreventUserRedirectionOfProfileFolders**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Prevents users from changing the path to their profile folders.
+
+By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
+
+If you enable this setting, users are unable to type a new location in the Target box.
+
+
+
+ADMX Info:
+- GP english name: *Prohibit User from manually redirecting Profile Folders*
+- GP name: *DisablePersonalDirChange*
+- GP ADMX file name: *desktop.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Desktop policies supported by Microsoft Surface Hub
+
+- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
+
+
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
new file mode 100644
index 0000000000..a33fac0efa
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -0,0 +1,147 @@
+---
+title: Policy CSP - DeviceGuard
+description: Policy CSP - DeviceGuard
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - DeviceGuard
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## DeviceGuard policies
+
+
+**DeviceGuard/EnableVirtualizationBasedSecurity**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+
+Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values:
+
+- 0 (default) - disable virtualization based security
+- 1 - enable virtualization based security
+
+
+
+
+
+**DeviceGuard/LsaCfgFlags**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+
+Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values:
+
+- 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock
+- 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock
+- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock
+
+
+
+
+
+
+**DeviceGuard/RequirePlatformSecurityFeatures**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values:
+
+- 1 (default) - Turns on VBS with Secure Boot.
+- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
+
+
+
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## DeviceGuard policies supported by Microsoft Surface Hub
+
+- [DeviceGuard/AllowKernelControlFlowGuard](#None)
+
+
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
new file mode 100644
index 0000000000..6fe4218008
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -0,0 +1,114 @@
+---
+title: Policy CSP - DeviceInstallation
+description: Policy CSP - DeviceInstallation
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - DeviceInstallation
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## DeviceInstallation policies
+
+
+**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+
+If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
+
+
+
+ADMX Info:
+- GP english name: *Prevent installation of devices that match any of these device IDs*
+- GP name: *DeviceInstall_IDs_Deny*
+- GP ADMX file name: *deviceinstallation.admx*
+
+
+
+
+**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+
+If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
+
+
+
+ADMX Info:
+- GP english name: *Prevent installation of devices using drivers that match these device setup classes*
+- GP name: *DeviceInstall_Classes_Deny*
+- GP ADMX file name: *deviceinstallation.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
new file mode 100644
index 0000000000..6aedca4af1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -0,0 +1,841 @@
+---
+title: Policy CSP - DeviceLock
+description: Policy CSP - DeviceLock
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - DeviceLock
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## DeviceLock policies
+
+
+**DeviceLock/AllowIdleReturnWithoutPassword**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Specifies whether the user must input a PIN or password when the device resumes from an idle state.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+
The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1 – Allowed.
+
+> [!IMPORTANT]
+> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period.
+
+
+
+
+**DeviceLock/AllowSimpleDevicePassword**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+
+**DeviceLock/AlphanumericDevicePasswordRequired**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education).
+
+
+
The following list shows the supported values:
+
+- 0 – Alphanumeric PIN or password required.
+- 1 – Numeric PIN or password required.
+- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
+
+> [!NOTE]
+> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
+>
+> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
+
+
+
+
+
+
+**DeviceLock/DevicePasswordEnabled**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether device lock is enabled.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
+
+
+
The following list shows the supported values:
+
+- 0 (default) – Enabled
+- 1 – Disabled
+
+> [!IMPORTANT]
+> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect:
+>
+> - AllowSimpleDevicePassword
+> - MinDevicePasswordLength
+> - AlphanumericDevicePasswordRequired
+> - MaxDevicePasswordFailedAttempts
+> - MaxInactivityTimeDeviceLock
+> - MinDevicePasswordComplexCharacters
+
+
+> [!IMPORTANT]
+> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set:
+>
+> - MinDevicePasswordLength is set to 4
+> - MinDevicePasswordComplexCharacters is set to 1
+>
+> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0:
+>
+> - MinDevicePasswordLength
+> - MinDevicePasswordComplexCharacters
+
+> [!Important]
+> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
+> - **DevicePasswordEnabled** is the parent policy of the following:
+> - AllowSimpleDevicePassword
+> - MinDevicePasswordLength
+> - AlphanumericDevicePasswordRequired
+> - MinDevicePasswordComplexCharacters
+> - DevicePasswordExpiration
+> - DevicePasswordHistory
+> - MaxDevicePasswordFailedAttempts
+> - MaxInactivityTimeDeviceLock
+
+
+
+
+**DeviceLock/DevicePasswordExpiration**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies when the password expires (in days).
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+
The following list shows the supported values:
+
+- An integer X where 0 <= X <= 730.
+- 0 (default) - Passwords do not expire.
+
+
If all policy values = 0 then 0; otherwise, Min policy value is the most secure value.
+
+
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+
+**DeviceLock/DevicePasswordHistory**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies how many passwords can be stored in the history that can’t be used.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+
The following list shows the supported values:
+
+- An integer X where 0 <= X <= 50.
+- 0 (default)
+
+
The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
+
+
Max policy value is the most restricted.
+
+
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+
+**DeviceLock/EnforceLockScreenAndLogonImage**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
+
+
+
Value type is a string, which is the full image filepath and filename.
+
+
+
+
+**DeviceLock/EnforceLockScreenProvider**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for mobile devices.
+
+
+
Value type is a string, which is the AppID.
+
+
+
+
+**DeviceLock/MaxDevicePasswordFailedAttempts**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+This policy has different behaviors on the mobile device and desktop.
+
+- On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
+- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
+
+ Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
+
+
The following list shows the supported values:
+
+- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices.
+- 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
+
+
Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value.
+
+
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+
+**DeviceLock/MaxInactivityTimeDeviceLock**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+
The following list shows the supported values:
+
+- An integer X where 0 <= X <= 999.
+- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
+
+
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx).
+
+
+
+
+**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ 2 |
+ 2 |
+
+
+
+
+
+Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+
The following list shows the supported values:
+
+- An integer X where 0 <= X <= 999.
+- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
+
+
+
+
+**DeviceLock/MinDevicePasswordComplexCharacters**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
+
+
PIN enforces the following behavior for desktop and mobile devices:
+
+- 1 - Digits only
+- 2 - Digits and lowercase letters are required
+- 3 - Digits, lowercase letters, and uppercase letters are required
+- 4 - Digits, lowercase letters, uppercase letters, and special characters are required
+
+
The default value is 1. The following list shows the supported values and actual enforced values:
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mobile |
+1,2,3,4 |
+Same as the value set |
+
+
+Desktop Local Accounts |
+ 1,2,3 |
+3 |
+
+
+Desktop Microsoft Accounts |
+1,2 |
+ |
+
+
+Desktop Domain Accounts |
+Not supported |
+Not supported |
+
+
+
+
+
+Enforced values for Local and Microsoft Accounts:
+
+- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3.
+- Passwords for local accounts must meet the following minimum requirements:
+
+ - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
+ - Be at least six characters in length
+ - Contain characters from three of the following four categories:
+
+ - English uppercase characters (A through Z)
+ - English lowercase characters (a through z)
+ - Base 10 digits (0 through 9)
+ - Special characters (!, $, \#, %, etc.)
+
+
The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant.
+
+
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+
+
+
+**DeviceLock/MinDevicePasswordLength**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies the minimum number or characters required in the PIN or password.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+>
+> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions.
+
+
+
The following list shows the supported values:
+
+- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6.
+- Not enforced.
+- The default value is 4 for mobile devices and desktop devices.
+
+
Max policy value is the most restricted.
+
+
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca).
+
+
+
+
+**DeviceLock/PreventLockScreenSlideShow**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
+
+By default, users can enable a slide show that will run after they lock the machine.
+
+If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start.
+
+
+
+ADMX Info:
+- GP english name: *Prevent enabling lock screen slide show*
+- GP name: *CPL_Personalization_NoLockScreenSlideshow*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+**DeviceLock/ScreenTimeoutWhileLocked**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
+
+
Minimum supported value is 10.
+
+
Maximum supported value is 1800.
+
+
The default value is 10.
+
+
Most restricted value is 0.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## DeviceLock policies that can be set using Exchange Active Sync (EAS)
+
+- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
+- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
+- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration)
+- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
+- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow)
+
+
+
+## DeviceLock policies supported by Windows Holographic for Business
+
+- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
+- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
+
+
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
new file mode 100644
index 0000000000..142be5ef59
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -0,0 +1,118 @@
+---
+title: Policy CSP - Display
+description: Policy CSP - Display
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Display
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Display policies
+
+
+**Display/TurnOffGdiDPIScalingForApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+
+
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.
+
+
If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+
+
If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications.
+
+
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+
+
To validate on Desktop, do the following:
+
+1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms.
+2. Run the app and observe blurry text.
+
+
+
+
+**Display/TurnOnGdiDPIScalingForApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
+
+
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.
+
+
If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list.
+
+
If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest.
+
+
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off.
+
+
To validate on Desktop, do the following:
+
+1. Configure the setting for an app which uses GDI.
+2. Run the app and observe crisp text.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
new file mode 100644
index 0000000000..76c623cf52
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -0,0 +1,240 @@
+---
+title: Policy CSP - EnterpriseCloudPrint
+description: Policy CSP - EnterpriseCloudPrint
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - EnterpriseCloudPrint
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## EnterpriseCloudPrint policies
+
+
+**EnterpriseCloudPrint/CloudPrintOAuthAuthority**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.
+
+
The datatype is a string.
+
+
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs".
+
+
+
+
+**EnterpriseCloudPrint/CloudPrintOAuthClientId**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.
+
+
The datatype is a string.
+
+
The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714".
+
+
+
+
+**EnterpriseCloudPrint/CloudPrintResourceId**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.
+
+
The datatype is a string.
+
+
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint".
+
+
+
+
+**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.
+
+
The datatype is a string.
+
+
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com".
+
+
+
+
+**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.
+
+
The datatype is an integer.
+
+
For Windows Mobile, the default value is 20.
+
+
+
+
+**EnterpriseCloudPrint/MopriaDiscoveryResourceId**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.
+
+
The datatype is a string.
+
+
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint".
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
new file mode 100644
index 0000000000..9420ab52aa
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -0,0 +1,254 @@
+---
+title: Policy CSP - ErrorReporting
+description: Policy CSP - ErrorReporting
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - ErrorReporting
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## ErrorReporting policies
+
+
+**ErrorReporting/CustomizeConsentSettings**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
+
+If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
+
+- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
+
+- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
+
+- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
+
+- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
+
+- 4 (Send all data): Any data requested by Microsoft is sent automatically.
+
+If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
+
+
+
+ADMX Info:
+- GP english name: *Customize consent settings*
+- GP name: *WerConsentCustomize_2*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+**ErrorReporting/DisableWindowsErrorReporting**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
+
+If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
+
+If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
+
+
+
+ADMX Info:
+- GP english name: *Disable Windows Error Reporting*
+- GP name: *WerDisable_2*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+**ErrorReporting/DisplayErrorNotification**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+This policy setting controls whether users are shown an error dialog box that lets them report an error.
+
+If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
+
+If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.
+
+If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
+
+See also the Configure Error Reporting policy setting.
+
+
+
+ADMX Info:
+- GP english name: *Display Error Notification*
+- GP name: *PCH_ShowUI*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+**ErrorReporting/DoNotSendAdditionalData**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
+
+If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
+
+If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
+
+
+
+ADMX Info:
+- GP english name: *Do not send additional data*
+- GP name: *WerNoSecondLevelData_2*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+**ErrorReporting/PreventCriticalErrorDisplay**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+This policy setting prevents the display of the user interface for critical errors.
+
+If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
+
+If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
+
+
+
+ADMX Info:
+- GP english name: *Prevent display of the user interface for critical errors*
+- GP name: *WerDoNotShowUI*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
new file mode 100644
index 0000000000..a7d3d8bcf3
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -0,0 +1,200 @@
+---
+title: Policy CSP - EventLogService
+description: Policy CSP - EventLogService
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - EventLogService
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## EventLogService policies
+
+
+**EventLogService/ControlEventLogBehavior**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+This policy setting controls Event Log behavior when the log file reaches its maximum size.
+
+If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
+
+If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
+
+Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+
+
+
+ADMX Info:
+- GP english name: *Control Event Log behavior when the log file reaches its maximum size*
+- GP name: *Channel_Log_Retention_1*
+- GP ADMX file name: *eventlog.admx*
+
+
+
+
+**EventLogService/SpecifyMaximumFileSizeApplicationLog**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+This policy setting specifies the maximum size of the log file in kilobytes.
+
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+
+If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+
+
+
+ADMX Info:
+- GP english name: *Specify the maximum log file size (KB)*
+- GP name: *Channel_LogMaxSize_1*
+- GP ADMX file name: *eventlog.admx*
+
+
+
+
+**EventLogService/SpecifyMaximumFileSizeSecurityLog**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+This policy setting specifies the maximum size of the log file in kilobytes.
+
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+
+If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+
+
+
+ADMX Info:
+- GP english name: *Specify the maximum log file size (KB)*
+- GP name: *Channel_LogMaxSize_2*
+- GP ADMX file name: *eventlog.admx*
+
+
+
+
+**EventLogService/SpecifyMaximumFileSizeSystemLog**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+This policy setting specifies the maximum size of the log file in kilobytes.
+
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
+
+If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
+
+
+
+ADMX Info:
+- GP english name: *Specify the maximum log file size (KB)*
+- GP name: *Channel_LogMaxSize_4*
+- GP ADMX file name: *eventlog.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
new file mode 100644
index 0000000000..d0a5edf221
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -0,0 +1,782 @@
+---
+title: Policy CSP - Experience
+description: Policy CSP - Experience
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Experience
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Experience policies
+
+
+**Experience/AllowCopyPaste**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+Specifies whether copy and paste is allowed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowCortana**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
Benefit to the customer:
+
+
Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive.
+
+
Sample scenario:
+
+
An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more.
+
+
+
+
+**Experience/AllowDeviceDiscovery**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows users to turn on/off device discovery UX.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowManualMDMUnenrollment**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether to allow the user to delete the workplace account using the workplace control panel.
+
+> [!NOTE]
+> The MDM server can always remotely delete the account.
+
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Specifies whether to display dialog prompt when no SIM card is detected.
+
+
The following list shows the supported values:
+
+- 0 – SIM card dialog prompt is not displayed.
+- 1 (default) – SIM card dialog prompt is displayed.
+
+
+
+
+**Experience/AllowScreenCapture**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Specifies whether screen capture is allowed.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowSyncMySettings**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
+
+
The following list shows the supported values:
+
+- 0 – Sync settings is not allowed.
+- 1 (default) – Sync settings allowed.
+
+
+
+
+**Experience/AllowTailoredExperiencesWithDiagnosticData**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
+
+
Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value.
+
+> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowTaskSwitcher**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Allows or disallows task switching on the device.
+
+
The following list shows the supported values:
+
+- 0 – Task switching not allowed.
+- 1 (default) – Task switching allowed.
+
+
+
+
+**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+
+
+Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
+
+
The following list shows the supported values:
+
+- 0 – Third-party suggestions not allowed.
+- 1 (default) – Third-party suggestions allowed.
+
+
+
+
+**Experience/AllowVoiceRecording**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Specifies whether voice recording is allowed for apps.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowWindowsConsumerFeatures**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
+
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> - **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy.
+> - **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result.
+
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowWindowsSpotlight**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
+
+
+Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowWindowsSpotlightOnActionCenter**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
+The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Experience/AllowWindowsTips**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Enables or disables Windows Tips / soft landing.
+
+The following list shows the supported values:
+
+- 0 – Disabled.
+- 1 (default) – Enabled.
+
+
+
+
+**Experience/ConfigureWindowsSpotlightOnLockScreen**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
+
+
+Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.
+
+
The following list shows the supported values:
+
+- 0 – None.
+- 1 (default) – Windows spotlight enabled.
+- 2 – placeholder only for future extension. Using this value has no effect.
+
+
+
+
+**Experience/DoNotShowFeedbackNotifications**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Prevents devices from showing feedback questions from Microsoft.
+
+
If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback.
+
+
If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
+
+
The following list shows the supported values:
+
+- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally.
+- 1 – Feedback notifications are disabled.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Experience policies supported by Windows Holographic for Business
+
+- [Experience/AllowCortana](#experience-allowcortana)
+- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
+
+
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
new file mode 100644
index 0000000000..65d798cab5
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -0,0 +1,61 @@
+---
+title: Policy CSP - Games
+description: Policy CSP - Games
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Games
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Games policies
+
+
+**Games/AllowAdvancedGamingServices**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Placeholder only. Currently not supported.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
new file mode 100644
index 0000000000..096bb1b61b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -0,0 +1,8012 @@
+---
+title: Policy CSP - InternetExplorer
+description: Policy CSP - InternetExplorer
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - InternetExplorer
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## InternetExplorer policies
+
+
+**InternetExplorer/AddSearchProvider**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
+
+If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
+
+If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
+
+
+
+ADMX Info:
+- GP english name: *Add a specific list of search providers to the user's list of search providers*
+- GP name: *AddSearchProvider*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowActiveXFiltering**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
+
+If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.
+
+If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
+
+
+
+ADMX Info:
+- GP english name: *Turn on ActiveX Filtering*
+- GP name: *TurnOnActiveXFiltering*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowAddOnList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.
+
+This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.
+
+If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
+
+Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
+
+Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
+
+If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
+
+
+
+ADMX Info:
+- GP english name: *Add-on List*
+- GP name: *AddonManagement_AddOnList*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowAutoComplete**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn on the auto-complete feature for user names and passwords on forms*
+- GP name: *RestrictFormSuggestPW*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowCertificateAddressMismatchWarning**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn on certificate address mismatch warning*
+- GP name: *IZ_PolicyWarnCertMismatch*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowDeletingBrowsingHistoryOnExit**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow deleting browsing history on exit*
+- GP name: *DBHDisableDeleteOnExit*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowEnhancedProtectedMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
+
+If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
+
+If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.
+
+If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
+
+
+
+ADMX Info:
+- GP english name: *Turn on Enhanced Protected Mode*
+- GP name: *Advanced_EnableEnhancedProtectedMode*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowEnterpriseModeFromToolsMenu**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
+
+If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.
+
+If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
+
+
+
+ADMX Info:
+- GP english name: *Let users turn on and use Enterprise Mode from the Tools menu*
+- GP name: *EnterpriseModeEnable*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowEnterpriseModeSiteList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.
+
+If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.
+
+If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
+
+
+
+ADMX Info:
+- GP english name: *Use the Enterprise Mode IE website list*
+- GP name: *EnterpriseModeSiteList*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowFallbackToSSL3**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow fallback to SSL 3.0 (Internet Explorer)*
+- GP name: *Advanced_EnableSSL3Fallback*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowInternetExplorer7PolicyList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.
+
+If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.
+
+If you disable or do not configure this policy setting, the user can add and remove sites from the list.
+
+
+
+ADMX Info:
+- GP english name: *Use Policy List of Internet Explorer 7 sites*
+- GP name: *CompatView_UsePolicyList*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowInternetExplorerStandardsMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
+
+If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.
+
+If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.
+
+If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
+
+
+
+ADMX Info:
+- GP english name: *Turn on Internet Explorer Standards Mode for local intranet*
+- GP name: *CompatView_IntranetSites*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowInternetZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Internet Zone Template*
+- GP name: *IZ_PolicyInternetZoneTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowIntranetZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Intranet Zone Template*
+- GP name: *IZ_PolicyIntranetZoneTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowLocalMachineZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Local Machine Zone Template*
+- GP name: *IZ_PolicyLocalMachineZoneTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowLockedDownInternetZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Locked-Down Internet Zone Template*
+- GP name: *IZ_PolicyInternetZoneLockdownTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowLockedDownIntranetZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Locked-Down Intranet Zone Template*
+- GP name: *IZ_PolicyIntranetZoneLockdownTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Locked-Down Local Machine Zone Template*
+- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Locked-Down Restricted Sites Zone Template*
+- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowOneWordEntry**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.
+
+If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.
+
+If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
+
+
+
+ADMX Info:
+- GP english name: *Go to an intranet site for a one-word entry in the Address bar*
+- GP name: *UseIntranetSiteForOneWordEntry*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowSiteToZoneAssignmentList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
+
+Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
+
+If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
+
+Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
+
+Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
+
+If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
+
+
+
+ADMX Info:
+- GP english name: *Site to Zone Assignment List*
+- GP name: *IZ_Zonemaps*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow software to run or install even if the signature is invalid*
+- GP name: *Advanced_InvalidSignatureBlock*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowSuggestedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
+
+If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
+
+If you disable this policy setting, the entry points and functionality associated with this feature are turned off.
+
+If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
+
+
+
+ADMX Info:
+- GP english name: *Turn on Suggested Sites*
+- GP name: *EnableSuggestedSites*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowTrustedSitesZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Trusted Sites Zone Template*
+- GP name: *IZ_PolicyTrustedSitesZoneTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Locked-Down Trusted Sites Zone Template*
+- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/AllowsRestrictedSitesZoneTemplate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
+
+If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
+
+If you disable this template policy setting, no security level is configured.
+
+If you do not configure this template policy setting, no security level is configured.
+
+Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
+
+Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
+
+
+
+ADMX Info:
+- GP english name: *Restricted Sites Zone Template*
+- GP name: *IZ_PolicyRestrictedSitesZoneTemplate*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/CheckServerCertificateRevocation**
+
+
+
+
+ADMX Info:
+- GP english name: *Check for server certificate revocation*
+- GP name: *Advanced_CertificateRevocation*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/CheckSignaturesOnDownloadedPrograms**
+
+
+
+
+ADMX Info:
+- GP english name: *Check for signatures on downloaded programs*
+- GP name: *Advanced_DownloadSignatures*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**
+
+
+
+
+ADMX Info:
+- GP english name: *Internet Explorer Processes*
+- GP name: *IESF_PolicyExplorerProcesses_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableAdobeFlash**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
+
+If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.
+
+If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.
+
+Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
+
+
+
+ADMX Info:
+- GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects*
+- GP name: *DisableFlashInIE*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableBlockingOfOutdatedActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
+- GP name: *VerMgmtDisable*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableBypassOfSmartScreenWarnings**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.
+
+If you enable this policy setting, SmartScreen Filter warnings block the user.
+
+If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
+
+
+
+ADMX Info:
+- GP english name: *Prevent bypassing SmartScreen Filter warnings*
+- GP name: *DisableSafetyFilterOverride*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.
+
+If you enable this policy setting, SmartScreen Filter warnings block the user.
+
+If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings.
+
+
+
+ADMX Info:
+- GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet*
+- GP name: *DisableSafetyFilterOverrideForAppRepUnknown*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableConfiguringHistory**
+
+
+
+
+ADMX Info:
+- GP english name: *Disable "Configuring History"*
+- GP name: *RestrictHistory*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableCrashDetection**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn off Crash Detection*
+- GP name: *AddonManagement_RestrictCrashDetection*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).
+
+If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
+
+If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
+
+If you do not configure this policy setting, the user can choose to participate in the CEIP.
+
+
+
+ADMX Info:
+- GP english name: *Prevent participation in the Customer Experience Improvement Program*
+- GP name: *SQM_DisableCEIP*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableDeletingUserVisitedWebsites**
+
+
+
+
+ADMX Info:
+- GP english name: *Prevent deleting websites that the user has visited*
+- GP name: *DBHDisableDeleteHistory*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableEnclosureDownloading**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
+
+If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
+
+If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
+
+
+
+ADMX Info:
+- GP english name: *Prevent downloading of enclosures*
+- GP name: *Disable_Downloading_of_Enclosures*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableEncryptionSupport**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
+
+If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
+
+If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.
+
+Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
+
+
+
+ADMX Info:
+- GP english name: *Turn off encryption support*
+- GP name: *Advanced_SetWinInetProtocols*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableFirstRunWizard**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
+
+If you enable this policy setting, you must make one of the following choices:
+Skip the First Run wizard, and go directly to the user's home page.
+Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
+
+Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
+
+If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
+
+
+
+ADMX Info:
+- GP english name: *Prevent running First Run wizard*
+- GP name: *NoFirstRunCustomise*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableFlipAheadFeature**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
+
+Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.
+
+If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.
+
+If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
+
+If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
+
+
+
+ADMX Info:
+- GP english name: *Turn off the flip ahead with page prediction feature*
+- GP name: *Advanced_DisableFlipAhead*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableHomePageChange**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
+
+If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
+
+If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
+
+
+
+ADMX Info:
+- GP english name: *Disable changing home page settings*
+- GP name: *RestrictHomePage*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableIgnoringCertificateErrors**
+
+
+
+
+ADMX Info:
+- GP english name: *Prevent ignoring certificate errors*
+- GP name: *NoCertError*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableInPrivateBrowsing**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn off InPrivate Browsing*
+- GP name: *DisableInPrivateBrowsing*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableProcessesInEnhancedProtectedMode**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows*
+- GP name: *Advanced_EnableEnhancedProtectedMode64Bit*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableProxyChange**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting specifies if a user can change proxy settings.
+
+If you enable this policy setting, the user will not be able to configure proxy settings.
+
+If you disable or do not configure this policy setting, the user can configure proxy settings.
+
+
+
+ADMX Info:
+- GP english name: *Prevent changing proxy settings*
+- GP name: *RestrictProxy*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableSearchProviderChange**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
+
+If you enable this policy setting, the user cannot change the default search provider.
+
+If you disable or do not configure this policy setting, the user can change the default search provider.
+
+
+
+ADMX Info:
+- GP english name: *Prevent changing the default search provider*
+- GP name: *NoSearchProvider*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableSecondaryHomePageChange**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.
+
+If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.
+
+If you disable or do not configure this policy setting, the user can add secondary home pages.
+
+Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
+
+
+
+ADMX Info:
+- GP english name: *Disable changing secondary home page settings*
+- GP name: *SecondaryHomePages*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableSecuritySettingsCheck**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn off the Security Settings Check feature*
+- GP name: *Disable_Security_Settings_Check*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DisableUpdateCheck**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Prevents Internet Explorer from checking whether a new version of the browser is available.
+
+If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available.
+
+If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available.
+
+This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.
+
+
+
+ADMX Info:
+- GP english name: *Disable Periodic Check for Internet Explorer software updates*
+- GP name: *NoUpdateCheck*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**
+
+
+
+
+ADMX Info:
+- GP english name: *Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled*
+- GP name: *Advanced_DisableEPMCompat*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DoNotAllowUsersToAddSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
+
+If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.)
+
+If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone.
+
+This policy prevents users from changing site management settings for security zones established by the administrator.
+
+Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored.
+
+Also, see the "Security zones: Use only machine settings" policy.
+
+
+
+ADMX Info:
+- GP english name: *Security Zones: Do not allow users to add/delete sites*
+- GP name: *Security_zones_map_edit*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DoNotAllowUsersToChangePolicies**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
+
+If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.
+
+If you disable this policy or do not configure it, users can change the settings for security zones.
+
+This policy prevents users from changing security zone settings established by the administrator.
+
+Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored.
+
+Also, see the "Security zones: Use only machine settings" policy.
+
+
+
+ADMX Info:
+- GP english name: *Security Zones: Do not allow users to change policies*
+- GP name: *Security_options_edit*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DoNotBlockOutdatedActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
+
+If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.
+
+If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.
+
+For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
+
+
+
+ADMX Info:
+- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer*
+- GP name: *VerMgmtDisable*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
+
+If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
+
+1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
+2. "hostname". For example, if you want to include http://example, use "example"
+3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"
+
+If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.
+
+For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
+
+
+
+ADMX Info:
+- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains*
+- GP name: *VerMgmtDomainAllowlist*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IncludeAllLocalSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
+
+If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.
+
+If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).
+
+If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
+
+
+
+ADMX Info:
+- GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones*
+- GP name: *IZ_IncludeUnspecifiedLocalSites*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IncludeAllNetworkPaths**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
+
+If you enable this policy setting, all network paths are mapped into the Intranet Zone.
+
+If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).
+
+If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
+
+
+
+ADMX Info:
+- GP english name: *Intranet Sites: Include all network paths (UNCs)*
+- GP name: *IZ_UNCAsIntranet*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowCopyPasteViaScript**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow cut, copy or paste operations from the clipboard via script*
+- GP name: *IZ_PolicyAllowPasteViaScript_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow drag and drop or copy and paste files*
+- GP name: *IZ_PolicyDropOrPasteFiles_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowLoadingOfXAMLFilesWRONG**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow loading of XAML files*
+- GP name: *IZ_Policy_XAML_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow only approved domains to use ActiveX controls without prompt*
+- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Intranet*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow only approved domains to use the TDC ActiveX control*
+- GP name: *IZ_PolicyAllowTDCControl_Both_LocalMachine*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowScriptInitiatedWindows**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow script-initiated windows without size or position constraints*
+- GP name: *IZ_PolicyWindowsRestrictionsURLaction_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
+- GP name: *IZ_Policy_WebBrowserControl_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow updates to status bar via script*
+- GP name: *IZ_Policy_ScriptStatusBar_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG1**
+
+
+
+
+ADMX Info:
+- GP english name: *Don't run antimalware programs against ActiveX controls*
+- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControlsWRONG2**
+
+
+
+
+ADMX Info:
+- GP english name: *Don't run antimalware programs against ActiveX controls*
+- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneDownloadSignedActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Download signed ActiveX controls*
+- GP name: *IZ_PolicyDownloadSignedActiveX_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Download unsigned ActiveX controls*
+- GP name: *IZ_PolicyDownloadUnsignedActiveX_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn on Cross-Site Scripting Filter*
+- GP name: *IZ_PolicyTurnOnXSSFilter_Both_LocalMachine*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
+
+
+
+
+ADMX Info:
+- GP english name: *Enable dragging of content from different domains across windows*
+- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
+
+
+
+
+ADMX Info:
+- GP english name: *Enable dragging of content from different domains within a window*
+- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneEnableMIMESniffing**
+
+
+
+
+ADMX Info:
+- GP english name: *Enable MIME Sniffing*
+- GP name: *IZ_PolicyMimeSniffingURLaction_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneEnableProtectedMode**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn on Protected Mode*
+- GP name: *IZ_Policy_TurnOnProtectedMode_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer**
+
+
+
+
+ADMX Info:
+- GP english name: *Include local path when user is uploading files to a server*
+- GP name: *IZ_Policy_LocalPathForUpload_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
+
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneJavaPermissionsWRONG1**
+
+
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneJavaPermissionsWRONG2**
+
+
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME**
+
+
+
+
+ADMX Info:
+- GP english name: *Launching applications and files in an IFRAME*
+- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneLogonOptions**
+
+
+
+
+ADMX Info:
+- GP english name: *Logon options*
+- GP name: *IZ_PolicyLogon_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode**
+
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
+
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components signed with Authenticode*
+- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles**
+
+
+
+
+ADMX Info:
+- GP english name: *Show security warning for potentially unsafe files*
+- GP name: *IZ_Policy_UnsafeFiles_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneUsePopupBlocker**
+
+
+
+
+ADMX Info:
+- GP english name: *Use Pop-up Blocker*
+- GP name: *IZ_PolicyBlockPopupWindows_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone**
+
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/IntranetZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Don't run antimalware programs against ActiveX controls*
+- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneJavaPermissions**
+
+
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneJavaPermissions**
+
+
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions**
+
+
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions**
+
+
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
+
+If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions**
+
+
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses**
+
+
+
+
+ADMX Info:
+- GP english name: *Internet Explorer Processes*
+- GP name: *IESF_PolicyExplorerProcesses_3*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses**
+
+
+
+
+ADMX Info:
+- GP english name: *Internet Explorer Processes*
+- GP name: *IESF_PolicyExplorerProcesses_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/NotificationBarInternetExplorerProcesses**
+
+
+
+
+ADMX Info:
+- GP english name: *Internet Explorer Processes*
+- GP name: *IESF_PolicyExplorerProcesses_10*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/PreventManagingSmartScreenFilter**
+
+
+
+
+ADMX Info:
+- GP english name: *Download signed ActiveX controls*
+- GP name: *IZ_PolicyDownloadSignedActiveX_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/PreventPerUserInstallationOfActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Prevent per-user installation of ActiveX controls*
+- GP name: *DisablePerUserActiveXInstall*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses**
+
+
+
+
+ADMX Info:
+- GP english name: *All Processes*
+- GP name: *IESF_PolicyAllProcesses_9*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
+- GP name: *VerMgmtDisableRunThisTime*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**
+
+
+
+
+ADMX Info:
+- GP english name: *All Processes*
+- GP name: *IESF_PolicyAllProcesses_11*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses**
+
+
+
+
+ADMX Info:
+- GP english name: *All Processes*
+- GP name: *IESF_PolicyAllProcesses_12*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowActiveScripting**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow active scripting*
+- GP name: *IZ_PolicyActiveScripting_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow binary and script behaviors*
+- GP name: *IZ_PolicyBinaryBehaviors_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow cut, copy or paste operations from the clipboard via script*
+- GP name: *IZ_PolicyAllowPasteViaScript_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow drag and drop or copy and paste files*
+- GP name: *IZ_PolicyDropOrPasteFiles_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowFileDownloads**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow file downloads*
+- GP name: *IZ_PolicyFileDownload_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG1**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowFontDownloadsWRONG2**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow loading of XAML files*
+- GP name: *IZ_Policy_XAML_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow META REFRESH*
+- GP name: *IZ_PolicyAllowMETAREFRESH_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow only approved domains to use ActiveX controls without prompt*
+- GP name: *IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow only approved domains to use the TDC ActiveX control*
+- GP name: *IZ_PolicyAllowTDCControl_Both_Restricted*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow script-initiated windows without size or position constraints*
+- GP name: *IZ_PolicyWindowsRestrictionsURLaction_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow scripting of Internet Explorer WebBrowser controls*
+- GP name: *IZ_Policy_WebBrowserControl_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow updates to status bar via script*
+- GP name: *IZ_Policy_ScriptStatusBar_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Don't run antimalware programs against ActiveX controls*
+- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Download signed ActiveX controls*
+- GP name: *IZ_PolicyDownloadSignedActiveX_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls**
+
+
+
+
+ADMX Info:
+- GP english name: *Download unsigned ActiveX controls*
+- GP name: *IZ_PolicyDownloadUnsignedActiveX_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
+
+
+
+
+ADMX Info:
+- GP english name: *Enable dragging of content from different domains across windows*
+- GP name: *IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
+
+
+
+
+ADMX Info:
+- GP english name: *Enable dragging of content from different domains within a window*
+- GP name: *IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing**
+
+
+
+
+ADMX Info:
+- GP english name: *Enable MIME Sniffing*
+- GP name: *IZ_PolicyMimeSniffingURLaction_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer**
+
+
+
+
+ADMX Info:
+- GP english name: *Include local path when user is uploading files to a server*
+- GP name: *IZ_Policy_LocalPathForUpload_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneJavaPermissions**
+
+
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME**
+
+
+
+
+ADMX Info:
+- GP english name: *Launching applications and files in an IFRAME*
+- GP name: *IZ_PolicyLaunchAppsAndFilesInIFRAME_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneLogonOptions**
+
+
+
+
+ADMX Info:
+- GP english name: *Logon options*
+- GP name: *IZ_PolicyLogon_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
+
+If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains**
+
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins**
+
+
+
+
+ADMX Info:
+- GP english name: *Run ActiveX controls and plugins*
+- GP name: *IZ_PolicyRunActiveXControls_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
+
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components signed with Authenticode*
+- GP name: *IZ_PolicySignedFrameworkComponentsURLaction_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting**
+
+
+
+
+ADMX Info:
+- GP english name: *Script ActiveX controls marked safe for scripting*
+- GP name: *IZ_PolicyScriptActiveXMarkedSafe_1*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneWRONG**
+
+
+
+
+ADMX Info:
+- GP english name: *Scripting of Java applets*
+- GP name: *IZ_PolicyScriptingOfJavaApplets_6*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneWRONG2**
+
+
+
+
+ADMX Info:
+- GP english name: *Show security warning for potentially unsafe files*
+- GP name: *IZ_Policy_UnsafeFiles_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneWRONG3**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn on Cross-Site Scripting Filter*
+- GP name: *IZ_PolicyTurnOnXSSFilter_Both_Restricted*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneWRONG4**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn on Protected Mode*
+- GP name: *IZ_Policy_TurnOnProtectedMode_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/RestrictedSitesZoneWRONG5**
+
+
+
+
+ADMX Info:
+- GP english name: *Use Pop-up Blocker*
+- GP name: *IZ_PolicyBlockPopupWindows_7*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses**
+
+
+
+
+ADMX Info:
+- GP english name: *All Processes*
+- GP name: *IESF_PolicyAllProcesses_8*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/SearchProviderList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
+
+If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
+
+If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
+
+
+
+ADMX Info:
+- GP english name: *Restrict search providers to a specific list*
+- GP name: *SpecificSearchProvider*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/SecurityZonesUseOnlyMachineSettings**
+
+
+
+
+ADMX Info:
+- GP english name: *Security Zones: Use only machine settings *
+- GP name: *Security_HKLM_only*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/SpecifyUseOfActiveXInstallerService**
+
+
+
+
+ADMX Info:
+- GP english name: *Specify use of ActiveX Installer Service for installation of ActiveX controls*
+- GP name: *OnlyUseAXISForActiveXInstall*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
+
+If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
+
+
+
+ADMX Info:
+- GP english name: *Access data sources across domains*
+- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether users will be automatically prompted for ActiveX control installations.
+
+If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
+
+If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for ActiveX controls*
+- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
+
+If you enable this setting, users will receive a file download dialog for automatic download attempts.
+
+If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
+
+
+
+ADMX Info:
+- GP english name: *Automatic prompting for file downloads*
+- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneAllowFontDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether pages of the zone may download HTML fonts.
+
+If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
+
+If you disable this policy setting, HTML fonts are prevented from downloading.
+
+If you do not configure this policy setting, HTML fonts can be downloaded automatically.
+
+
+
+ADMX Info:
+- GP english name: *Allow font downloads*
+- GP name: *IZ_PolicyFontDownload_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
+
+If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
+
+If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
+
+If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
+
+
+
+ADMX Info:
+- GP english name: *Web sites in less privileged Web content zones can navigate into this zone*
+- GP name: *IZ_PolicyZoneElevationURLaction_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+
+If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
+
+If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
+
+If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
+
+
+
+ADMX Info:
+- GP english name: *Run .NET Framework-reliant components not signed with Authenticode*
+- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneAllowScriptlets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage whether the user can run scriptlets.
+
+If you enable this policy setting, the user can run scriptlets.
+
+If you disable this policy setting, the user cannot run scriptlets.
+
+If you do not configure this policy setting, the user can enable or disable scriptlets.
+
+
+
+ADMX Info:
+- GP english name: *Allow scriptlets*
+- GP name: *IZ_Policy_AllowScriptlets_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
+
+If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
+
+If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
+
+If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
+
+Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
+
+
+
+ADMX Info:
+- GP english name: *Turn on SmartScreen Filter scan*
+- GP name: *IZ_Policy_Phishing_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
+
+If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
+
+
+
+ADMX Info:
+- GP english name: *Userdata persistence*
+- GP name: *IZ_PolicyUserdataPersistence_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage ActiveX controls not marked as safe.
+
+If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
+
+If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
+
+If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneJavaPermissions**
+
+
+
+
+ADMX Info:
+- GP english name: *Java permissions*
+- GP name: *IZ_PolicyJavaPermissions_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
+
+If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
+
+If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
+
+If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
+
+
+
+ADMX Info:
+- GP english name: *Navigate windows and frames across different domains*
+- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneWRONG1**
+
+
+
+
+ADMX Info:
+- GP english name: *Don't run antimalware programs against ActiveX controls*
+- GP name: *IZ_PolicyAntiMalwareCheckingOfActiveXControls_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+**InternetExplorer/TrustedSitesZoneWRONG2**
+
+
+
+
+ADMX Info:
+- GP english name: *Initialize and script ActiveX controls not marked as safe*
+- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5*
+- GP ADMX file name: *inetres.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
new file mode 100644
index 0000000000..a8fbdb51d5
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -0,0 +1,247 @@
+---
+title: Policy CSP - Kerberos
+description: Policy CSP - Kerberos
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Kerberos
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Kerberos policies
+
+
+**Kerberos/AllowForestSearchOrder**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
+
+If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
+
+If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
+
+
+
+ADMX Info:
+- GP english name: *Use forest search order*
+- GP name: *ForestSearch*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
+If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
+
+If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
+
+
+
+ADMX Info:
+- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
+- GP name: *EnableCbacAndArmor*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+**Kerberos/RequireKerberosArmoring**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
+
+Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
+
+If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
+
+Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
+
+If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
+
+
+
+ADMX Info:
+- GP english name: *Fail authentication requests when Kerberos armoring is not available*
+- GP name: *ClientRequireFast*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+**Kerberos/RequireStrictKDCValidation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
+
+If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
+
+If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
+
+
+
+ADMX Info:
+- GP english name: *Require strict KDC validation*
+- GP name: *ValidateKDC*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+**Kerberos/SetMaximumContextTokenSize**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
+
+The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
+
+If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
+
+If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
+
+Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
+
+
+
+ADMX Info:
+- GP english name: *Set maximum Kerberos SSPI context token buffer size*
+- GP name: *MaxTokenSize*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
new file mode 100644
index 0000000000..8c80b8d3a3
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -0,0 +1,102 @@
+---
+title: Policy CSP - Licensing
+description: Policy CSP - Licensing
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Licensing
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Licensing policies
+
+
+**Licensing/AllowWindowsEntitlementReactivation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
+
+
The following list shows the supported values:
+
+- 0 – Disable Windows license reactivation on managed devices.
+- 1 (default) – Enable Windows license reactivation on managed devices.
+
+
+
+
+**Licensing/DisallowKMSClientOnlineAVSValidation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
+
+
The following list shows the supported values:
+
+- 0 (default) – Disabled.
+- 1 – Enabled.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
new file mode 100644
index 0000000000..f645587446
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -0,0 +1,74 @@
+---
+title: Policy CSP - Location
+description: Policy CSP - Location
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Location
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Location policies
+
+
+**Location/EnableLocation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
+
+> [!IMPORTANT]
+> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy.
+
+
The following list shows the supported values:
+
+- 0 (default) – Disabled.
+- 1 – Enabled.
+
+
To validate on Desktop, do the following:
+
+1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected.
+2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
new file mode 100644
index 0000000000..25dc0413fe
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -0,0 +1,68 @@
+---
+title: Policy CSP - LockDown
+description: Policy CSP - LockDown
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - LockDown
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## LockDown policies
+
+
+**LockDown/AllowEdgeSwipe**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
+
+
The following list shows the supported values:
+
+- 0 - disallow edge swipe.
+- 1 (default, not configured) - allow edge swipe.
+
+
The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
new file mode 100644
index 0000000000..71023a8d83
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -0,0 +1,108 @@
+---
+title: Policy CSP - Maps
+description: Policy CSP - Maps
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Maps
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Maps policies
+
+
+**Maps/AllowOfflineMapsDownloadOverMeteredConnection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
+
+
The following list shows the supported values:
+
+- 65535 (default) – Not configured. User's choice.
+- 0 – Disabled. Force disable auto-update over metered connection.
+- 1 – Enabled. Force enable auto-update over metered connection.
+
+
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
+
+
+
+
+**Maps/EnableOfflineMapsAutoUpdate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Disables the automatic download and update of map data.
+
+
The following list shows the supported values:
+
+- 65535 (default) – Not configured. User's choice.
+- 0 – Disabled. Force off auto-update.
+- 1 – Enabled. Force on auto-update.
+
+
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
new file mode 100644
index 0000000000..0cb1012fa9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -0,0 +1,144 @@
+---
+title: Policy CSP - Messaging
+description: Policy CSP - Messaging
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Messaging
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Messaging policies
+
+
+**Messaging/AllowMMS**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ 2 |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement.
+
+
The following list shows the supported values:
+
+- 0 - Disabled.
+- 1 (default) - Enabled.
+
+
+
+
+**Messaging/AllowMessageSync**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
+
+
The following list shows the supported values:
+
+- 0 - message sync is not allowed and cannot be changed by the user.
+- 1 - message sync is allowed. The user can change this setting.
+
+
+
+
+**Messaging/AllowRCS**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ 2 |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement.
+
+
The following list shows the supported values:
+
+- 0 - Disabled.
+- 1 (default) - Enabled.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
new file mode 100644
index 0000000000..8c7f783b3c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -0,0 +1,297 @@
+---
+title: Policy CSP - NetworkIsolation
+description: Policy CSP - NetworkIsolation
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - NetworkIsolation
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## NetworkIsolation policies
+
+
+**NetworkIsolation/EnterpriseCloudResources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
+
+
+
+
+**NetworkIsolation/EnterpriseIPRange**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
+
+``` syntax
+10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255,
+192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff,
+2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,
+2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
+fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+```
+
+
+
+
+**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
+
+
+
+
+**NetworkIsolation/EnterpriseInternalProxyServers**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+
+
+
+
+**NetworkIsolation/EnterpriseNetworkDomainNames**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
+
+> [!NOTE]
+> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.
+
+
+
Here are the steps to create canonical domain names:
+
+1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com.
+2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
+3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
+
+
+
+
+**NetworkIsolation/EnterpriseProxyServers**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+
+
+
+
+**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
+
+
+
+
+**NetworkIsolation/NeutralResources**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+List of domain names that can used for work or personal resource.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
new file mode 100644
index 0000000000..1ba72d35a8
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -0,0 +1,77 @@
+---
+title: Policy CSP - Notifications
+description: Policy CSP - Notifications
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Notifications
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Notifications policies
+
+
+**Notifications/DisallowNotificationMirroring**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
+
+> [!IMPORTANT]
+> This node must be accessed using the following paths:
+>
+> - **./User/Vendor/MSFT/Policy/Config/Notifications/DisallowNotificationMirroring** to set the policy.
+> - **./User/Vendor/MSFT/Policy/Result/Notifications/DisallowNotificationMirroring** to get the result.
+
+
+
For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page.
+
+
No reboot or service restart is required for this policy to take effect.
+
+
The following list shows the supported values:
+
+- 0 (default)– enable notification mirroring.
+- 1 – disable notification mirroring.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
new file mode 100644
index 0000000000..b0b74a08f2
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -0,0 +1,421 @@
+---
+title: Policy CSP - Power
+description: Policy CSP - Power
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Power
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Power policies
+
+
+**Power/AllowStandbyWhenSleepingPluggedIn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
+
+If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state.
+
+If you disable this policy setting, standby states (S1-S3) are not allowed.
+
+
+
+ADMX Info:
+- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)*
+- GP name: *AllowStandbyStatesAC_2*
+- GP ADMX file name: *power.admx*
+
+
+
+
+**Power/DisplayOffTimeoutOnBattery**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+
+
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
+
+
If you disable or do not configure this policy setting, users control this setting.
+
+
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+
+
+ADMX Info:
+- GP english name: *Turn off the display (on battery)*
+- GP name: *VideoPowerDownTimeOutDC_2*
+- GP ADMX file name: *power.admx*
+
+
+
+
+**Power/DisplayOffTimeoutPluggedIn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
+
+
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
+
+
If you disable or do not configure this policy setting, users control this setting.
+
+
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+
+
+ADMX Info:
+- GP english name: *Turn off the display (plugged in)*
+- GP name: *VideoPowerDownTimeOutAC_2*
+- GP ADMX file name: *power.admx*
+
+
+
+
+**Power/HibernateTimeoutOnBattery**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+
+
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
+
+
If you disable or do not configure this policy setting, users control this setting.
+
+
+
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+
+
+ADMX Info:
+- GP english name: *Specify the system hibernate timeout (on battery)*
+- GP name: *DCHibernateTimeOut_2*
+- GP ADMX file name: *power.admx*
+
+
+
+
+**Power/HibernateTimeoutPluggedIn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
+
+
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
+
+
If you disable or do not configure this policy setting, users control this setting.
+
+
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+
+
+ADMX Info:
+- GP english name: *Specify the system hibernate timeout (plugged in)*
+- GP name: *ACHibernateTimeOut_2*
+- GP ADMX file name: *power.admx*
+
+
+
+
+**Power/RequirePasswordWhenComputerWakesOnBattery**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
+
+If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
+
+If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
+
+
+
+ADMX Info:
+- GP english name: *Require a password when a computer wakes (on battery)*
+- GP name: *DCPromptForPasswordOnResume_2*
+- GP ADMX file name: *power.admx*
+
+
+
+
+**Power/RequirePasswordWhenComputerWakesPluggedIn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
+
+If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
+
+If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
+
+
+
+ADMX Info:
+- GP english name: *Require a password when a computer wakes (plugged in)*
+- GP name: *ACPromptForPasswordOnResume_2*
+- GP ADMX file name: *power.admx*
+
+
+
+
+**Power/StandbyTimeoutOnBattery**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+
+
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
+
+
If you disable or do not configure this policy setting, users control this setting.
+
+
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+
+
+ADMX Info:
+- GP english name: *Specify the system sleep timeout (on battery)*
+- GP name: *DCStandbyTimeOut_2*
+- GP ADMX file name: *power.admx*
+
+
+
+
+**Power/StandbyTimeoutPluggedIn**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
+
+
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
+
+
If you disable or do not configure this policy setting, users control this setting.
+
+
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
+
+
+
+ADMX Info:
+- GP english name: *Specify the system sleep timeout (plugged in)*
+- GP name: *ACStandbyTimeOut_2*
+- GP ADMX file name: *power.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
new file mode 100644
index 0000000000..ac4e6f725f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -0,0 +1,184 @@
+---
+title: Policy CSP - Printers
+description: Policy CSP - Printers
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Printers
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Printers policies
+
+
+**Printers/PointAndPrintRestrictions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
+
+If you enable this policy setting:
+-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
+-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
+
+If you do not configure this policy setting:
+-Windows Vista client computers can point and print to any server.
+-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
+-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
+-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
+
+If you disable this policy setting:
+-Windows Vista client computers can create a printer connection to any server using Point and Print.
+-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
+-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
+-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
+-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
+
+
+
+ADMX Info:
+- GP english name: *Point and Print Restrictions*
+- GP name: *PointAndPrint_Restrictions_Win7*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+**Printers/PointAndPrintRestrictions_User**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
+
+If you enable this policy setting:
+-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
+-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
+
+If you do not configure this policy setting:
+-Windows Vista client computers can point and print to any server.
+-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
+-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
+-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
+
+If you disable this policy setting:
+-Windows Vista client computers can create a printer connection to any server using Point and Print.
+-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
+-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
+-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
+-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
+
+
+
+ADMX Info:
+- GP english name: *Point and Print Restrictions*
+- GP name: *PointAndPrint_Restrictions*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+**Printers/PublishPrinters**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Determines whether the computer's shared printers can be published in Active Directory.
+
+If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
+
+If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.
+
+Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
+
+
+
+ADMX Info:
+- GP english name: *Allow printers to be published*
+- GP name: *PublishPrinters*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
new file mode 100644
index 0000000000..6436a76202
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -0,0 +1,2556 @@
+---
+title: Policy CSP - Privacy
+description: Policy CSP - Privacy
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Privacy
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Privacy policies
+
+
+**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
+
+
The following list shows the supported values:
+
+- 0 (default)– Not allowed.
+- 1 – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Privacy/AllowInputPersonalization**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+
+**Privacy/DisableAdvertisingId**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Enables or disables the Advertising ID.
+
+
The following list shows the supported values:
+
+- 0 – Disabled.
+- 1 – Enabled.
+- 65535 (default)- Not configured.
+
+
Most restricted value is 0.
+
+
+
+
+**Privacy/LetAppsAccessAccountInfo**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+
+
+**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+
+
+**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
+
+
+
+**Privacy/LetAppsAccessCalendar**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+
+
+**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+
+
+**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
+
+
+
+**Privacy/LetAppsAccessCallHistory**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+
+
+**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+
+
+**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
+
+
+
+**Privacy/LetAppsAccessCamera**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessContacts**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessEmail**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessLocation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessMessaging**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessMicrophone**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessMotion**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessNotifications**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessPhone**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessRadios**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessTasks**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+
+
+
+
+**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessTrustedDevices**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsGetDiagnosticInfo**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsRunInBackground**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
+
+
The following list shows the supported values:
+
+- 0 – User in control (default).
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+> [!WARNING]
+> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly.
+
+
+
+
+**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 2 |
+ 2 |
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsSyncWithDevices**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
+
+
The following list shows the supported values:
+
+- 0 – User in control.
+- 1 – Force allow.
+- 2 - Force deny.
+
+
Most restricted value is 2.
+
+
+
+
+**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
+
+**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Privacy policies supported by Windows Holographic for Business
+
+- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
+- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+
+
+
+## Privacy policies supported by IoT Core
+
+- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+
+
+
+## Privacy policies supported by Microsoft Surface Hub
+
+- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
+- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
+- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground)
+- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
+- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
+- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
+
+
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
new file mode 100644
index 0000000000..bae354870c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -0,0 +1,249 @@
+---
+title: Policy CSP - RemoteAssistance
+description: Policy CSP - RemoteAssistance
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - RemoteAssistance
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## RemoteAssistance policies
+
+
+**RemoteAssistance/CustomizeWarningMessages**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting lets you customize warning messages.
+
+The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
+
+The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.
+
+If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.
+
+If you disable this policy setting, the user sees the default warning message.
+
+If you do not configure this policy setting, the user sees the default warning message.
+
+
+
+ADMX Info:
+- GP english name: *Customize warning messages*
+- GP name: *RA_Options*
+- GP ADMX file name: *remoteassistance.admx*
+
+
+
+
+**RemoteAssistance/SessionLogging**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
+
+If you enable this policy setting, log files are generated.
+
+If you disable this policy setting, log files are not generated.
+
+If you do not configure this setting, application-based settings are used.
+
+
+
+ADMX Info:
+- GP english name: *Turn on session logging*
+- GP name: *RA_Logging*
+- GP ADMX file name: *remoteassistance.admx*
+
+
+
+
+**RemoteAssistance/SolicitedRemoteAssistance**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
+
+If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
+
+If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
+
+If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
+
+If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
+
+The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
+
+The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
+
+If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
+
+
+
+ADMX Info:
+- GP english name: *Configure Solicited Remote Assistance*
+- GP name: *RA_Solicit*
+- GP ADMX file name: *remoteassistance.admx*
+
+
+
+
+**RemoteAssistance/UnsolicitedRemoteAssistance**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
+
+If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
+
+If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
+
+If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
+
+If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
+
+To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
+
+\ or
+
+\
+
+If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.
+
+Windows Vista and later
+
+Enable the Remote Assistance exception for the domain profile. The exception must contain:
+Port 135:TCP
+%WINDIR%\System32\msra.exe
+%WINDIR%\System32\raserver.exe
+
+Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
+
+Port 135:TCP
+%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
+%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
+%WINDIR%\System32\Sessmgr.exe
+
+For computers running Windows Server 2003 with Service Pack 1 (SP1)
+
+Port 135:TCP
+%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
+%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
+Allow Remote Desktop Exception
+
+
+
+ADMX Info:
+- GP english name: *Configure Offer Remote Assistance*
+- GP name: *RA_Unsolicit*
+- GP ADMX file name: *remoteassistance.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
new file mode 100644
index 0000000000..c73c7a4093
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -0,0 +1,314 @@
+---
+title: Policy CSP - RemoteDesktopServices
+description: Policy CSP - RemoteDesktopServices
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - RemoteDesktopServices
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## RemoteDesktopServices policies
+
+
+**RemoteDesktopServices/AllowUsersToConnectRemotely**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
+
+If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
+
+If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
+
+If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
+
+Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
+
+You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
+
+
+
+ADMX Info:
+- GP english name: *Allow users to connect remotely by using Remote Desktop Services*
+- GP name: *TS_DISABLE_CONNECTIONS*
+- GP ADMX file name: *terminalserver.admx*
+
+
+
+
+**RemoteDesktopServices/ClientConnectionEncryptionLevel**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
+
+If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
+
+* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
+
+* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
+
+* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
+
+If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.
+
+Important
+
+FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption.
+
+
+
+ADMX Info:
+- GP english name: *Set client connection encryption level*
+- GP name: *TS_ENCRYPTION_POLICY*
+- GP ADMX file name: *terminalserver.admx*
+
+
+
+
+**RemoteDesktopServices/DoNotAllowDriveRedirection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
+
+By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.
+
+If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
+
+If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
+
+If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
+
+
+
+ADMX Info:
+- GP english name: *Do not allow drive redirection*
+- GP name: *TS_CLIENT_DRIVE_M*
+- GP ADMX file name: *terminalserver.admx*
+
+
+
+
+**RemoteDesktopServices/DoNotAllowPasswordSaving**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Controls whether passwords can be saved on this computer from Remote Desktop Connection.
+
+If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
+
+If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
+
+
+
+ADMX Info:
+- GP english name: *Do not allow passwords to be saved*
+- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2*
+- GP ADMX file name: *terminalserver.admx*
+
+
+
+
+**RemoteDesktopServices/PromptForPasswordUponConnection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
+
+You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
+
+By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
+
+If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
+
+If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
+
+If you do not configure this policy setting, automatic logon is not specified at the Group Policy level.
+
+
+
+ADMX Info:
+- GP english name: *Always prompt for password upon connection*
+- GP name: *TS_PASSWORD*
+- GP ADMX file name: *terminalserver.admx*
+
+
+
+
+**RemoteDesktopServices/RequireSecureRPCCommunication**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
+
+You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
+
+If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
+
+If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.
+
+If the status is set to Not Configured, unsecured communication is allowed.
+
+Note: The RPC interface is used for administering and configuring Remote Desktop Services.
+
+
+
+ADMX Info:
+- GP english name: *Require secure RPC communication*
+- GP name: *TS_RPC_ENCRYPTION*
+- GP ADMX file name: *terminalserver.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
new file mode 100644
index 0000000000..4c0d02a0fb
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -0,0 +1,225 @@
+---
+title: Policy CSP - RemoteManagement
+description: Policy CSP - RemoteManagement
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - RemoteManagement
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## RemoteManagement policies
+
+
+**RemoteManagement/AllowBasicAuthentication_Client**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow Basic authentication*
+- GP name: *AllowBasic_2*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/AllowBasicAuthentication_Service**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow Basic authentication*
+- GP name: *AllowBasic_1*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/AllowCredSSPAuthenticationClient**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow CredSSP authentication*
+- GP name: *AllowCredSSP_1*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/AllowCredSSPAuthenticationService**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow CredSSP authentication*
+- GP name: *AllowCredSSP_2*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/AllowRemoteServerManagement**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow remote server management through WinRM*
+- GP name: *AllowAutoConfig*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/AllowUnencryptedTraffic_Client**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow unencrypted traffic*
+- GP name: *AllowUnencrypted_2*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/AllowUnencryptedTraffic_Service**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow unencrypted traffic*
+- GP name: *AllowUnencrypted_1*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/DisallowDigestAuthentication**
+
+
+
+
+ADMX Info:
+- GP english name: *Disallow Digest authentication*
+- GP name: *DisallowDigest*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/DisallowNegotiateAuthenticationClient**
+
+
+
+
+ADMX Info:
+- GP english name: *Disallow Negotiate authentication*
+- GP name: *DisallowNegotiate_1*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/DisallowNegotiateAuthenticationService**
+
+
+
+
+ADMX Info:
+- GP english name: *Disallow Negotiate authentication*
+- GP name: *DisallowNegotiate_2*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/DisallowStoringOfRunAsCredentials**
+
+
+
+
+ADMX Info:
+- GP english name: *Disallow WinRM from storing RunAs credentials*
+- GP name: *DisableRunAs*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**
+
+
+
+
+ADMX Info:
+- GP english name: *Specify channel binding token hardening level*
+- GP name: *CBTHardeningLevel_1*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/TrustedHosts**
+
+
+
+
+ADMX Info:
+- GP english name: *Trusted Hosts*
+- GP name: *TrustedHosts*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/TurnOnCompatibilityHTTPListener**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn On Compatibility HTTP Listener*
+- GP name: *HttpCompatibilityListener*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+**RemoteManagement/TurnOnCompatibilityHTTPSListener**
+
+
+
+
+ADMX Info:
+- GP english name: *Turn On Compatibility HTTPS Listener*
+- GP name: *HttpsCompatibilityListener*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
new file mode 100644
index 0000000000..56389b3ae7
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -0,0 +1,130 @@
+---
+title: Policy CSP - RemoteProcedureCall
+description: Policy CSP - RemoteProcedureCall
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - RemoteProcedureCall
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## RemoteProcedureCall policies
+
+
+**RemoteProcedureCall/RPCEndpointMapperClientAuthentication**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
+
+If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
+
+If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+
+If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+
+Note: This policy will not be applied until the system is rebooted.
+
+
+
+ADMX Info:
+- GP english name: *Enable RPC Endpoint Mapper Client Authentication*
+- GP name: *RpcEnableAuthEpResolution*
+- GP ADMX file name: *rpc.admx*
+
+
+
+
+**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
+
+This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
+
+If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
+
+If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
+
+If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
+
+-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.
+
+-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
+
+-- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.
+
+Note: This policy setting will not be applied until the system is rebooted.
+
+
+
+ADMX Info:
+- GP english name: *Restrict Unauthenticated RPC clients*
+- GP name: *RpcRestrictRemoteClients*
+- GP ADMX file name: *rpc.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
new file mode 100644
index 0000000000..08ec87e539
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -0,0 +1,121 @@
+---
+title: Policy CSP - RemoteShell
+description: Policy CSP - RemoteShell
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - RemoteShell
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## RemoteShell policies
+
+
+**RemoteShell/AllowRemoteShellAccess**
+
+
+
+
+ADMX Info:
+- GP english name: *Allow Remote Shell Access*
+- GP name: *AllowRemoteShellAccess*
+- GP ADMX file name: *WindowsRemoteShell.admx*
+
+
+
+
+**RemoteShell/MaxConcurrentUsers**
+
+
+
+
+ADMX Info:
+- GP english name: *MaxConcurrentUsers*
+- GP name: *MaxConcurrentUsers*
+- GP ADMX file name: *WindowsRemoteShell.admx*
+
+
+
+
+**RemoteShell/SpecifyIdleTimeout**
+
+
+
+
+ADMX Info:
+- GP english name: *Specify idle Timeout*
+- GP name: *IdleTimeout*
+- GP ADMX file name: *WindowsRemoteShell.admx*
+
+
+
+
+**RemoteShell/SpecifyMaxMemory**
+
+
+
+
+ADMX Info:
+- GP english name: *Specify maximum amount of memory in MB per Shell*
+- GP name: *MaxMemoryPerShellMB*
+- GP ADMX file name: *WindowsRemoteShell.admx*
+
+
+
+
+**RemoteShell/SpecifyMaxProcesses**
+
+
+
+
+ADMX Info:
+- GP english name: *Specify maximum number of processes per Shell*
+- GP name: *MaxProcessesPerShell*
+- GP ADMX file name: *WindowsRemoteShell.admx*
+
+
+
+
+**RemoteShell/SpecifyMaxRemoteShells**
+
+
+
+
+ADMX Info:
+- GP english name: *Specify maximum number of remote shells per user*
+- GP name: *MaxShellsPerUser*
+- GP ADMX file name: *WindowsRemoteShell.admx*
+
+
+
+
+**RemoteShell/SpecifyShellTimeout**
+
+
+
+
+ADMX Info:
+- GP english name: *Specify Shell Timeout*
+- GP name: *ShellTimeOut*
+- GP ADMX file name: *WindowsRemoteShell.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
new file mode 100644
index 0000000000..73badec791
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -0,0 +1,392 @@
+---
+title: Policy CSP - Search
+description: Policy CSP - Search
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Search
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Search policies
+
+
+**Search/AllowIndexingEncryptedStoresOrItems**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
+
+
When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
+
+
When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Search/AllowSearchToUseLocation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether search can leverage location information.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Search/AllowUsingDiacritics**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows the use of diacritics.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Search/AlwaysUseAutoLangDetection**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether to always use automatic language detection when indexing content and properties.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Search/DisableBackoff**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
+
+
The following list shows the supported values:
+
+- 0 (default) – Disable.
+- 1 – Enable.
+
+
+
+
+**Search/DisableRemovableDriveIndexing**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting configures whether or not locations on removable drives can be added to libraries.
+
+
If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
+
+
If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
+
+
The following list shows the supported values:
+
+- 0 (default) – Disable.
+- 1 – Enable.
+
+
+
+
+**Search/PreventIndexingLowDiskSpaceMB**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
+
+
Enable this policy if computers in your environment have extremely limited hard drive space.
+
+
When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
+
+
The following list shows the supported values:
+
+- 0 – Disable.
+- 1 (default) – Enable.
+
+
+
+
+**Search/PreventRemoteQueries**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
+
+
The following list shows the supported values:
+
+- 0 – Disable.
+- 1 (default) – Enable.
+
+
+
+
+**Search/SafeSearchPermissions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Specifies what level of safe search (filtering adult content) is required.
+
+
The following list shows the supported values:
+
+- 0 – Strict, highest filtering against adult content.
+- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered).
+
+
Most restricted value is 0.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Search policies that can be set using Exchange Active Sync (EAS)
+
+- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
+
+
+
+## Search policies supported by Windows Holographic for Business
+
+- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
+
+
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
new file mode 100644
index 0000000000..b9da338ad1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -0,0 +1,426 @@
+---
+title: Policy CSP - Security
+description: Policy CSP - Security
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Security
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Security policies
+
+
+**Security/AllowAddProvisioningPackage**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether to allow the runtime configuration agent to install provisioning packages.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy has been deprecated in Windows 10, version 1607
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Security/AllowManualRootCertificateInstallation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Specifies whether the user is allowed to manually install root and intermediate CA certificates.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Security/AllowRemoveProvisioningPackage**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether to allow the runtime configuration agent to remove provisioning packages.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Security/AntiTheftMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+Allows or disallow Anti Theft Mode on the device.
+
+
The following list shows the supported values:
+
+- 0 – Don't allow Anti Theft Mode.
+- 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
+
+
+
+
+**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
+
+
Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+
+
The following list shows the supported values:
+
+- 0 (default) – Encryption enabled.
+- 1 – Encryption disabled.
+
+
+
+
+**Security/RequireDeviceEncryption**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
+
+Allows enterprise to turn on internal storage encryption.
+
+
The following list shows the supported values:
+
+- 0 (default) – Encryption is not required.
+- 1 – Encryption is required.
+
+
Most restricted value is 1.
+
+> [!IMPORTANT]
+> If encryption has been enabled, it cannot be turned off by using this policy.
+
+
+
+
+**Security/RequireProvisioningPackageSignature**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not required.
+- 1 – Required.
+
+
+
+
+**Security/RequireRetrieveHealthCertificateOnBoot**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not required.
+- 1 – Required.
+
+
Setting this policy to 1 (Required):
+
+- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
+- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
+
+> [!NOTE]
+> We recommend that this policy is set to Required after MDM enrollment.
+
+
+
Most restricted value is 1.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Security policies that can be set using Exchange Active Sync (EAS)
+
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+
+
+
+## Security policies supported by Windows Holographic for Business
+
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+
+
+
+## Security policies supported by IoT Core
+
+- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
+- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
+- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
+- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
+
+
+
+## Security policies supported by Microsoft Surface Hub
+
+- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
+- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
+
+
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
new file mode 100644
index 0000000000..aac7fdd2e4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -0,0 +1,559 @@
+---
+title: Policy CSP - Settings
+description: Policy CSP - Settings
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Settings
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Settings policies
+
+
+**Settings/AllowAutoPlay**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Allows the user to change Auto Play settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+> [!NOTE]
+> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
+
+
+
+
+**Settings/AllowDataSense**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows the user to change Data Sense settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/AllowDateTime**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows the user to change date and time settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/AllowEditDeviceName**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ 1 |
+ 1 |
+
+
+
+
+
+Allows editing of the device name.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/AllowLanguage**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Allows the user to change the language settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/AllowPowerSleep**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Allows the user to change power and sleep settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/AllowRegion**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Allows the user to change the region settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/AllowSignInOptions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Allows the user to change sign-in options.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/AllowVPN**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows the user to change VPN settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/AllowWorkplace**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Allows user to change workplace settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/AllowYourAccount**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows user to change account settings.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+**Settings/ConfigureTaskbarCalendar**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
+
+
The following list shows the supported values:
+
+- 0 (default) – User will be allowed to configure the setting.
+- 1 – Don't show additional calendars.
+- 2 - Simplified Chinese (Lunar).
+- 3 - Traditional Chinese (Lunar).
+
+
+
+
+**Settings/PageVisibilityList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
+
+
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
+
+
showonly:about;bluetooth
+
+
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
+
+
The format of the PageVisibilityList value is as follows:
+
+- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
+- There are two variants: one that shows only the given pages and one which hides the given pages.
+- The first variant starts with the string "showonly:" and the second with the string "hide:".
+- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
+- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi".
+
+
The default value for this setting is an empty string, which is interpreted as show everything.
+
+
Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
+
+
showonly:wi-fi;bluetooth
+
+
Example 2, specifies that the wifi page should not be shown:
+
+
hide:wifi
+
+
To validate on Desktop, do the following:
+
+1. Open System Settings and verfiy that the About page is visible and accessible.
+2. Configure the policy with the following string: "hide:about".
+3. Open System Settings again and verify that the About page is no longer accessible.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Settings policies supported by Windows Holographic for Business
+
+- [Settings/AllowDateTime](#settings-allowdatetime)
+- [Settings/AllowVPN](#settings-allowvpn)
+
+
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
new file mode 100644
index 0000000000..968712f98d
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -0,0 +1,138 @@
+---
+title: Policy CSP - SmartScreen
+description: Policy CSP - SmartScreen
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - SmartScreen
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## SmartScreen policies
+
+
+**SmartScreen/EnableAppInstallControl**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
+
+
The following list shows the supported values:
+
+- 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
+- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
+
+
+
+
+**SmartScreen/EnableSmartScreenInShell**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
+
+
The following list shows the supported values:
+
+- 0 – Turns off SmartScreen in Windows.
+- 1 – Turns on SmartScreen in Windows.
+
+
+
+
+**SmartScreen/PreventOverrideForFilesInShell**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
+
+
The following list shows the supported values:
+
+- 0 – Employees can ignore SmartScreen warnings and run malicious files.
+- 1 – Employees cannot ignore SmartScreen warnings and run malicious files.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
new file mode 100644
index 0000000000..b67d1464b7
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -0,0 +1,66 @@
+---
+title: Policy CSP - Speech
+description: Policy CSP - Speech
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Speech
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Speech policies
+
+
+**Speech/AllowSpeechModelUpdate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ | 1 |
+ 1 |
+ |
+ 1 |
+ 1 |
+ 1 |
+ 1 |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
new file mode 100644
index 0000000000..9c3c33dc73
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -0,0 +1,1192 @@
+---
+title: Policy CSP - Start
+description: Policy CSP - Start
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Start
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Start policies
+
+
+**Start/AllowPinnedFolderDocuments**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderDownloads**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderFileExplorer**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderHomeGroup**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderMusic**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderNetwork**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderPersonalFolder**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderPictures**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderSettings**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/AllowPinnedFolderVideos**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
+
+
The following list shows the supported values:
+
+- 0 – The shortcut is hidden and disables the setting in the Settings app.
+- 1 – The shortcut is visible and disables the setting in the Settings app.
+- 65535 (default) - There is no enforced configuration and the setting can be changed by the user.
+
+
+
+
+**Start/ForceStartSize**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+Forces the start screen size.
+
+
The following list shows the supported values:
+
+- 0 (default) – Do not force size of Start.
+- 1 – Force non-fullscreen size of Start.
+- 2 - Force a fullscreen size of Start.
+
+
If there is policy configuration conflict, the latest configuration request is applied to the device.
+
+
+
+
+**Start/HideAppList**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
+
+
The following list shows the supported values:
+
+- 0 (default) – None.
+- 1 – Hide all apps list.
+- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app.
+- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app.
+
+
To validate on Desktop, do the following:
+
+- 1 - Enable policy and restart explorer.exe
+- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out.
+- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out.
+- 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out.
+
+
+
+
+**Start/HideChangeAccountSettings**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the user tile, and verify that "Change account settings" is not available.
+
+
+
+
+**Start/HideFrequentlyUsedApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable "Show most used apps" in the Settings app.
+2. Use some apps to get them into the most used group in Start.
+3. Enable policy.
+4. Restart explorer.exe
+5. Check that "Show most used apps" Settings toggle is grayed out.
+6. Check that most used apps do not appear in Start.
+
+
+
+
+**Start/HideHibernate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Laptop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the Power button, and verify "Hibernate" is not available.
+
+> [!NOTE]
+> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
+
+
+
+
+**Start/HideLock**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the user tile, and verify "Lock" is not available.
+
+
+
+
+**Start/HidePowerButton**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, and verify the power button is not available.
+
+
+
+
+**Start/HideRecentJumplists**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings.
+2. Pin Photos to the taskbar, and open some images in the photos app.
+3. Right click the pinned photos app and verify that a jumplist of recently opened items pops up.
+4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists.
+5. Enable policy.
+6. Restart explorer.exe
+7. Check that Settings toggle is grayed out.
+8. Repeat Step 2.
+9. Right Click pinned photos app and verify that there is no jumplist of recent items.
+
+
+
+
+**Start/HideRecentlyAddedApps**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable "Show recently added apps" in the Settings app.
+2. Check if there are recently added apps in Start (if not, install some).
+3. Enable policy.
+4. Restart explorer.exe
+5. Check that "Show recently added apps" Settings toggle is grayed out.
+6. Check that recently added apps do not appear in Start.
+
+
+
+
+**Start/HideRestart**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available.
+
+
+
+
+**Start/HideShutDown**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available.
+
+
+
+
+**Start/HideSignOut**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the user tile, and verify "Sign out" is not available.
+
+
+
+
+**Start/HideSleep**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the Power button, and verify that "Sleep" is not available.
+
+
+
+
+**Start/HideSwitchAccount**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Open Start, click on the user tile, and verify that "Switch account" is not available.
+
+
+
+
+**Start/HideUserTile**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (do not hide).
+- 1 - True (hide).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Log off.
+3. Log in, and verify that the user tile is gone from Start.
+
+
+
+
+**Start/ImportEdgeAssets**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy requires reboot to take effect.
+
+Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
+
+> [!IMPORTANT]
+> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
+
+
The value set for this policy is an XML string containing Edge assets. An example XML string is provided in the [Microsoft Edge assets example](#microsoft-edge-assets-example) later in this topic.
+
+
To validate on Desktop, do the following:
+
+1. Set policy with an XML for Edge assets.
+2. Set StartLayout policy to anything so that it would trigger the Edge assets import.
+3. Sign out/in.
+4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path.
+
+
+
+
+**Start/NoPinningToTaskbar**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (pinning enabled).
+- 1 - True (pinning disabled).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Right click on a program pinned to taskbar.
+3. Verify that "Unpin from taskbar" menu does not show.
+4. Open Start and right click on one of the app list icons.
+5. Verify that More->Pin to taskbar menu does not show.
+
+
+
+
+**Start/StartLayout**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!IMPORTANT]
+> This node is set on a per-user basis and must be accessed using the following paths:
+> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
+> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
+>
+>
+> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths:
+> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
+> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
+
+
+Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
+
+
This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
new file mode 100644
index 0000000000..7d305a13d9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -0,0 +1,72 @@
+---
+title: Policy CSP - Storage
+description: Policy CSP - Storage
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Storage
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Storage policies
+
+
+**Storage/EnhancedStorageDevices**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+This policy setting configures whether or not Windows will activate an Enhanced Storage device.
+
+If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
+
+If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
+
+
+
+ADMX Info:
+- GP english name: *Do not allow Windows to activate Enhanced Storage devices*
+- GP name: *TCGSecurityActivationDisabled*
+- GP ADMX file name: *enhancedstorage.admx*
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
new file mode 100644
index 0000000000..bfc21c114d
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -0,0 +1,614 @@
+---
+title: Policy CSP - System
+description: Policy CSP - System
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - System
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## System policies
+
+
+**System/AllowBuildPreview**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
+
+
+This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
+
+
If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
+- 1 – Allowed. Users can make their devices available for downloading and installing preview software.
+- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.
+
+
+
+
+**System/AllowEmbeddedMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether set general purpose device to be in embedded mode.
+
+
The following list shows the supported values:
+
+- 0 (default) – Not allowed.
+- 1 – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**System/AllowExperimentation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is not supported in Windows 10, version 1607.
+
+This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
+
+
The following list shows the supported values:
+
+- 0 – Disabled.
+- 1 (default) – Permits Microsoft to configure device settings only.
+- 2 – Allows Microsoft to conduct full experimentations.
+
+
Most restricted value is 0.
+
+
+
+
+**System/AllowFontProviders**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
+
+
Supported values:
+
+- false - No traffic to fs.microsoft.com and only locally-installed fonts are available.
+- true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
+
+
This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
+
+
This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
+
+> [!Note]
+> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
+
+
To verify if System/AllowFontProviders is set to true:
+
+- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
+
+
+
+
+**System/AllowLocation**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether to allow app access to the Location service.
+
+
The following list shows the supported values:
+
+- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
+- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off.
+- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.
+
+
Most restricted value is 0.
+
+
While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
+
+
When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
+
+
For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
+
+
+
+
+**System/AllowStorageCard**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
+
+
The following list shows the supported values:
+
+- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card.
+- 1 (default) – Allow a storage card.
+
+
Most restricted value is 0.
+
+
+
+
+**System/AllowTelemetry**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allow the device to send diagnostic and usage telemetry data, such as Watson.
+
+
The following tables describe the supported values:
+
+
+
+
+
+
+
+
+
+
+0 – Not allowed.
+ |
+
+
+ 1 – Allowed, except for Secondary Data Requests. |
+
+
+2 (default) – Allowed. |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
+
+Note This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1.
+
+ |
+
+
+1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. |
+
+
+2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. |
+
+
+3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. |
+
+
+
+
+
+> [!IMPORTANT]
+> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
+
+
+Most restricted value is 0.
+
+
+
+
+**System/AllowUserToResetPhone**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed to reset to factory default settings.
+
+
Most restricted value is 0.
+
+
+
+
+**System/BootStartDriverInitialization**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+N/A
+
+
+
+ADMX Info:
+- GP name: *POL_DriverLoadPolicy_Name*
+- GP ADMX file name: *earlylauncham.admx*
+
+
+
+
+**System/DisableOneDriveFileSync**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
+
+* Users cannot access OneDrive from the OneDrive app or file picker.
+* Windows Store apps cannot access OneDrive using the WinRT API.
+* OneDrive does not appear in the navigation pane in File Explorer.
+* OneDrive files are not kept in sync with the cloud.
+* Users cannot automatically upload photos and videos from the camera roll folder.
+
+
If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
+
+
The following list shows the supported values:
+
+- 0 (default) – False (sync enabled).
+- 1 – True (sync disabled).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Restart machine.
+3. Verify that OneDrive.exe is not running in Task Manager.
+
+
+
+
+**System/DisableSystemRestore**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Allows you to disable System Restore.
+
+This policy setting allows you to turn off System Restore.
+
+System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
+
+If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
+
+If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
+
+Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
+
+
+
+ADMX Info:
+- GP english name: *Turn off System Restore*
+- GP name: *SR_DisableSR*
+- GP ADMX file name: *systemrestore.admx*
+
+
+
+
+**System/TelemetryProxy**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
+
+
If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## System policies that can be set using Exchange Active Sync (EAS)
+
+- [System/AllowStorageCard](#system-allowstoragecard)
+- [System/TelemetryProxy](#system-telemetryproxy)
+
+
+
+## System policies supported by Windows Holographic for Business
+
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [System/AllowLocation](#system-allowlocation)
+- [System/AllowTelemetry](#system-allowtelemetry)
+
+
+
+## System policies supported by IoT Core
+
+- [System/AllowEmbeddedMode](#system-allowembeddedmode)
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [System/AllowStorageCard](#system-allowstoragecard)
+- [System/TelemetryProxy](#system-telemetryproxy)
+
+
+
+## System policies supported by Microsoft Surface Hub
+
+- [System/AllowFontProviders](#system-allowfontproviders)
+- [System/AllowLocation](#system-allowlocation)
+- [System/AllowTelemetry](#system-allowtelemetry)
+
+
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
new file mode 100644
index 0000000000..3baa9bb071
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -0,0 +1,580 @@
+---
+title: Policy CSP - TextInput
+description: Policy CSP - TextInput
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - TextInput
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## TextInput policies
+
+
+**TextInput/AllowIMELogging**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**TextInput/AllowIMENetworkAccess**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**TextInput/AllowInputPanel**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the IT admin to disable the touch/handwriting keyboard on Windows.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**TextInput/AllowJapaneseIMESurrogatePairCharacters**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the Japanese IME surrogate pair characters.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**TextInput/AllowJapaneseIVSCharacters**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows Japanese Ideographic Variation Sequence (IVS) characters.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**TextInput/AllowJapaneseNonPublishingStandardGlyph**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the Japanese non-publishing standard glyph.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**TextInput/AllowJapaneseUserDictionary**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the Japanese user dictionary.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**TextInput/AllowKeyboardTextSuggestions**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
+
+
The following list shows the supported values:
+
+- 0 – Disabled.
+- 1 (default) – Enabled.
+
+
Most restricted value is 0.
+
+
To validate that text prediction is disabled on Windows 10 for desktop, do the following:
+
+1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
+2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
+3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
+
+
+
+
+**TextInput/AllowKoreanExtendedHanja**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+This policy has been deprecated.
+
+
+
+
+**TextInput/AllowLanguageFeaturesUninstall**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the uninstall of language features, such as spell checkers, on a device.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**TextInput/ExcludeJapaneseIMEExceptJIS0208**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the users to restrict character code range of conversion by setting the character filter.
+
+
The following list shows the supported values:
+
+- 0 (default) – No characters are filtered.
+- 1 – All characters except JIS0208 are filtered.
+
+
+
+
+**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the users to restrict character code range of conversion by setting the character filter.
+
+
The following list shows the supported values:
+
+- 0 (default) – No characters are filtered.
+- 1 – All characters except JIS0208 and EUDC are filtered.
+
+
+
+
+**TextInput/ExcludeJapaneseIMEExceptShiftJIS**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> The policy is only enforced in Windows 10 for desktop.
+
+
+Allows the users to restrict character code range of conversion by setting the character filter.
+
+
The following list shows the supported values:
+
+- 0 (default) – No characters are filtered.
+- 1 – All characters except ShiftJIS are filtered.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## TextInput policies supported by Microsoft Surface Hub
+
+- [TextInput/AllowIMELogging](#textinput-allowimelogging)
+- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
+- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
+- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
+- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
+- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
+- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
+- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
+- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
+- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
+
+
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
new file mode 100644
index 0000000000..c3bcd16106
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -0,0 +1,74 @@
+---
+title: Policy CSP - TimeLanguageSettings
+description: Policy CSP - TimeLanguageSettings
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - TimeLanguageSettings
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## TimeLanguageSettings policies
+
+
+**TimeLanguageSettings/AllowSet24HourClock**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ 2 |
+ 2 |
+
+
+
+
+
+Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
+
+
The following list shows the supported values:
+
+- 0 – Locale default setting.
+- 1 (default) – Set 24 hour clock.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## TimeLanguageSettings policies supported by Microsoft Surface Hub
+
+- [TimeLanguageSettings/Set24HourClock](#None)
+- [TimeLanguageSettings/SetCountry](#None)
+- [TimeLanguageSettings/SetLanguage](#None)
+
+
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
new file mode 100644
index 0000000000..eb5110a19b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -0,0 +1,1886 @@
+---
+title: Policy CSP - Update
+description: Policy CSP - Update
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Update
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Update policies
+
+
+**Update/ActiveHoursEnd**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+
+> [!NOTE]
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
+
+
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+
+
The default is 17 (5 PM).
+
+
+
+
+**Update/ActiveHoursMaxRange**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
+
+
Supported values are 8-18.
+
+
The default value is 18 (hours).
+
+
+
+
+**Update/ActiveHoursStart**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+
+> [!NOTE]
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
+
+
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+
+
The default value is 8 (8 AM).
+
+
+
+
+**Update/AllowAutoUpdate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+
+
Supported operations are Get and Replace.
+
+
The following list shows the supported values:
+
+- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
+- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
+- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
+- 5 – Turn off automatic updates.
+
+> [!IMPORTANT]
+> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
+
+
+
If the policy is not configured, end-users get the default behavior (Auto install and restart).
+
+
+
+
+**Update/AllowMUUpdateService**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+
+
+Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed or not configured.
+- 1 – Allowed. Accepts updates received through Microsoft Update.
+
+
+
+
+**Update/AllowNonMicrosoftSignedUpdate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
+
+
Supported operations are Get and Replace.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
+- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+
+
This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+
+
+
+
+**Update/AllowUpdateService**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
+
+
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
+
+
Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
+
+
The following list shows the supported values:
+
+- 0 – Update service is not allowed.
+- 1 (default) – Update service is allowed.
+
+> [!NOTE]
+> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+
+
+
+
+**Update/AutoRestartDeadlinePeriodInDays**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
+
+
Supported values are 2-30 days.
+
+
The default value is 7 days.
+
+
+
+
+**Update/AutoRestartNotificationSchedule**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
+
+
Supported values are 15, 30, 60, 120, and 240 (minutes).
+
+
The default value is 15 (minutes).
+
+
+
+
+**Update/AutoRestartRequiredNotificationDismissal**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
+
+
The following list shows the supported values:
+
+- 1 (default) – Auto Dismissal.
+- 2 – User Dismissal.
+
+
+
+
+**Update/BranchReadinessLevel**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+
+
The following list shows the supported values:
+
+- 16 (default) – User gets all applicable upgrades from Current Branch (CB).
+- 32 – User gets upgrades from Current Branch for Business (CBB).
+
+
+
+
+**Update/DeferFeatureUpdatesPeriodInDays**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+
Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
+
+
Supported values are 0-365 days.
+
+> [!IMPORTANT]
+> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
+
+
+
+
+**Update/DeferQualityUpdatesPeriodInDays**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
+
+
Supported values are 0-30.
+
+
+
+
+**Update/DeferUpdatePeriod**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+>
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
+
+
+Allows IT Admins to specify update delays for up to 4 weeks.
+
+
Supported values are 0-4, which refers to the number of weeks to defer updates.
+
+
In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
+
+- Update/RequireDeferUpgrade must be set to 1
+- System/AllowTelemetry must be set to 1 or higher
+
+
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
+
+
+
+
+
+
+
+
+
+
+
+OS upgrade |
+8 months |
+1 month |
+Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+
+
+Update |
+1 month |
+1 week |
+
+Note
+If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
+
+
+- Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
+- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
+- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
+- Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
+- Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
+- Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
+- Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
+- Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
+ |
+
+
+Other/cannot defer |
+No deferral |
+No deferral |
+Any update category not specifically enumerated above falls into this category.
+Definition Update - E0789628-CE08-4437-BE74-2495B842F43B |
+
+
+
+
+
+
+
+**Update/DeferUpgradePeriod**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+>
+> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+>
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
+
+
+Allows IT Admins to specify additional upgrade delays for up to 8 months.
+
+
Supported values are 0-8, which refers to the number of months to defer upgrades.
+
+
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
+
+
+**Update/DetectionFrequency**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+
+
+
+
+**Update/EngagedRestartDeadline**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
+
+
Supported values are 2-30 days.
+
+
The default value is 0 days (not specified).
+
+
+
+
+**Update/EngagedRestartSnoozeSchedule**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
+
+
Supported values are 1-3 days.
+
+
The default value is 3 days.
+
+
+
+
+**Update/EngagedRestartTransitionSchedule**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
+
+
Supported values are 2-30 days.
+
+
The default value is 7 days.
+
+
+
+
+**Update/ExcludeWUDriversInQualityUpdate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+
+
The following list shows the supported values:
+
+- 0 (default) – Allow Windows Update drivers.
+- 1 – Exclude Windows Update drivers.
+
+
+
+
+**Update/FillEmptyContentUrls**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
+
+> [!NOTE]
+> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
+
+
The following list shows the supported values:
+
+- 0 (default) – Disabled.
+- 1 – Enabled.
+
+
+
+
+**Update/IgnoreMOAppDownloadLimit**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+
+> [!WARNING]
+> Setting this policy might cause devices to incur costs from MO operators.
+
+
The following list shows the supported values:
+
+- 0 (default) – Do not ignore MO download limit for apps and their updates.
+- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
+
+
To validate this policy:
+
+1. Enable the policy ensure the device is on a cellular network.
+2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
+ - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
+
+ - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
+
+3. Verify that any downloads that are above the download size limit will complete without being paused.
+
+
+
+
+**Update/IgnoreMOUpdateDownloadLimit**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+
+> [!WARNING]
+> Setting this policy might cause devices to incur costs from MO operators.
+
+
The following list shows the supported values:
+
+- 0 (default) – Do not ignore MO download limit for OS updates.
+- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
+
+
To validate this policy:
+
+1. Enable the policy and ensure the device is on a cellular network.
+2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
+ - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
+
+3. Verify that any downloads that are above the download size limit will complete without being paused.
+
+
+
+
+**Update/PauseDeferrals**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+>
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
+
+
+Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
+
+
The following list shows the supported values:
+
+- 0 (default) – Deferrals are not paused.
+- 1 – Deferrals are paused.
+
+
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+
+
+
+
+**Update/PauseFeatureUpdates**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+
+
Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+
+
The following list shows the supported values:
+
+- 0 (default) – Feature Updates are not paused.
+- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
+
+
+
+
+**Update/PauseFeatureUpdatesStartTime**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
+
+
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+
+
+
+**Update/PauseQualityUpdates**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ 1 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+
+
The following list shows the supported values:
+
+- 0 (default) – Quality Updates are not paused.
+- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
+
+
+
+
+**Update/PauseQualityUpdatesStartTime**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
+
+
Value type is string. Supported operations are Add, Get, Delete, and Replace.
+
+
+
+
+**Update/RequireDeferUpgrade**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+>
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
+
+
+Allows the IT admin to set a device to CBB train.
+
+
The following list shows the supported values:
+
+- 0 (default) – User gets upgrades from Current Branch.
+- 1 – User gets upgrades from Current Branch for Business.
+
+
+
+
+**Update/RequireUpdateApproval**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+
+> [!NOTE]
+> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
+
+
+Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
+
+
Supported operations are Get and Replace.
+
+
The following list shows the supported values:
+
+- 0 – Not configured. The device installs all applicable updates.
+- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
+
+
+
+
+**Update/ScheduleImminentRestartWarning**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+
+
Supported values are 15, 30, or 60 (minutes).
+
+
The default value is 15 (minutes).
+
+
+
+
+**Update/ScheduleRestartWarning**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
+
+
Supported values are 2, 4, 8, 12, or 24 (hours).
+
+
The default value is 4 (hours).
+
+
+
+
+**Update/ScheduledInstallDay**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Enables the IT admin to schedule the day of the update installation.
+
+
The data type is a integer.
+
+
Supported operations are Add, Delete, Get, and Replace.
+
+
The following list shows the supported values:
+
+- 0 (default) – Every day
+- 1 – Sunday
+- 2 – Monday
+- 3 – Tuesday
+- 4 – Wednesday
+- 5 – Thursday
+- 6 – Friday
+- 7 – Saturday
+
+
+
+
+**Update/ScheduledInstallEveryWeek**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+
+
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
+
+- 0 - no update in the schedule
+- 1 - update is scheduled every week
+
+
+
+
+
+**Update/ScheduledInstallFirstWeek**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+
+
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
+
+- 0 - no update in the schedule
+- 1 - update is scheduled every first week of the month
+
+
+
+
+
+**Update/ScheduledInstallFourthWeek**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+
+
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
+
+- 0 - no update in the schedule
+- 1 - update is scheduled every fourth week of the month
+
+
+
+
+
+**Update/ScheduledInstallSecondWeek**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+
+
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
+
+- 0 - no update in the schedule
+- 1 - update is scheduled every second week of the month
+
+
+
+
+
+**Update/ScheduledInstallThirdWeek**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+
+
+
+
+
+Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
+
+- 0 - no update in the schedule
+- 1 - update is scheduled every third week of the month
+
+
+
+
+
+**Update/ScheduledInstallTime**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Enables the IT admin to schedule the time of the update installation.
+
+
The data type is a integer.
+
+
Supported operations are Add, Delete, Get, and Replace.
+
+
Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
+
+
The default value is 3.
+
+
+
+
+**Update/SetAutoRestartNotificationDisable**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
+
+
The following list shows the supported values:
+
+- 0 (default) – Enabled
+- 1 – Disabled
+
+
+
+
+**Update/SetEDURestart**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
+
+
The following list shows the supported values:
+
+- 0 - not configured
+- 1 - configured
+
+
+
+
+**Update/UpdateServiceUrl**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+> [!Important]
+> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
+
+Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
+
+
Supported operations are Get and Replace.
+
+
The following list shows the supported values:
+
+- Not configured. The device checks for updates from Microsoft Update.
+- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
+
+Example
+
+``` syntax
+
+ $CmdID$
+ -
+
+ chr
+ text/plain
+
+
+ ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl
+
+ http://abcd-srv:8530
+
+
+```
+
+
+
+
+**Update/UpdateServiceUrlAlternate**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+> **Note** This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+
+Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+
+
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+
+
To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
+
+
Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+
+> [!Note]
+> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
+> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
+> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Update policies supported by Windows Holographic for Business
+
+- [Update/AllowAutoUpdate](#update-allowautoupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](#update-requireupdateapproval)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+
+
+
+## Update policies supported by IoT Core
+
+- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/PauseDeferrals](#update-pausedeferrals)
+- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
+- [Update/RequireUpdateApproval](#update-requireupdateapproval)
+- [Update/ScheduledInstallDay](#update-scheduledinstallday)
+- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+
+
+
+## Update policies supported by Microsoft Surface Hub
+
+- [Update/AllowAutoUpdate](#update-allowautoupdate)
+- [Update/AllowUpdateService](#update-allowupdateservice)
+- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule)
+- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal)
+- [Update/BranchReadinessLevel](#update-branchreadinesslevel)
+- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays)
+- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays)
+- [Update/DetectionFrequency](#update-detectionfrequency)
+- [Update/PauseFeatureUpdates](#update-pausefeatureupdates)
+- [Update/PauseQualityUpdates](#update-pausequalityupdates)
+- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning)
+- [Update/ScheduleRestartWarning](#update-schedulerestartwarning)
+- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable)
+- [Update/UpdateServiceUrl](#update-updateserviceurl)
+- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate)
+
+
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
new file mode 100644
index 0000000000..61525f5b57
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -0,0 +1,309 @@
+---
+title: Policy CSP - Wifi
+description: Policy CSP - Wifi
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - Wifi
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## Wifi policies
+
+
+**WiFi/AllowWiFiHotSpotReporting**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+This policy has been deprecated.
+
+
+
+
+**Wifi/AllowAutoConnectToWiFiSenseHotspots**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allow or disallow the device to automatically connect to Wi-Fi hotspots.
+
+
The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Wifi/AllowInternetSharing**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allow or disallow internet sharing.
+
+
The following list shows the supported values:
+
+- 0 – Do not allow the use of Internet Sharing.
+- 1 (default) – Allow the use of Internet Sharing.
+
+
Most restricted value is 0.
+
+
+
+
+**Wifi/AllowManualWiFiConfiguration**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
+
+
The following list shows the supported values:
+
+- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed.
+- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.
+
+
Most restricted value is 0.
+
+> [!NOTE]
+> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
+
+
+
+
+**Wifi/AllowWiFi**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Allow or disallow WiFi connection.
+
+
The following list shows the supported values:
+
+- 0 – WiFi connection is not allowed.
+- 1 (default) – WiFi connection is allowed.
+
+
Most restricted value is 0.
+
+
+
+
+**Wifi/AllowWiFiDirect**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. Allow WiFi Direct connection..
+
+- 0 - WiFi Direct connection is not allowed.
+- 1 - WiFi Direct connection is allowed.
+
+
+
+
+**Wifi/WLANScanMode**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+
+
+
+Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
+
+
Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
+
+
The default value is 0.
+
+
Supported operations are Add, Delete, Get, and Replace.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
+
+## Wifi policies that can be set using Exchange Active Sync (EAS)
+
+- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
+- [Wifi/AllowWiFi](#wifi-allowwifi)
+
+
+
+## Wifi policies supported by IoT Core
+
+- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
+- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
+- [Wifi/AllowWiFi](#wifi-allowwifi)
+- [Wifi/WLANScanMode](#wifi-wlanscanmode)
+
+
+
+## Wifi policies supported by Microsoft Surface Hub
+
+- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
+
+
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
new file mode 100644
index 0000000000..edce18a72e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -0,0 +1,103 @@
+---
+title: Policy CSP - WindowsInkWorkspace
+description: Policy CSP - WindowsInkWorkspace
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - WindowsInkWorkspace
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## WindowsInkWorkspace policies
+
+
+**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
+
+
Value type is bool. The following list shows the supported values:
+
+- 0 - app suggestions are not allowed.
+- 1 (default) -allow app suggestions.
+
+
+
+
+**WindowsInkWorkspace/AllowWindowsInkWorkspace**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
+
+
Value type is int. The following list shows the supported values:
+
+- 0 - access to ink workspace is disabled. The feature is turned off.
+- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
+- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
new file mode 100644
index 0000000000..29b2de31e3
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -0,0 +1,155 @@
+---
+title: Policy CSP - WindowsLogon
+description: Policy CSP - WindowsLogon
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - WindowsLogon
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## WindowsLogon policies
+
+
+**WindowsLogon/DisableLockScreenAppNotifications**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to prevent app notifications from appearing on the lock screen.
+
+If you enable this policy setting, no app notifications are displayed on the lock screen.
+
+If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
+
+
+
+ADMX Info:
+- GP english name: *Turn off app notifications on the lock screen*
+- GP name: *DisableLockScreenAppNotifications*
+- GP ADMX file name: *logon.admx*
+
+
+
+
+**WindowsLogon/DontDisplayNetworkSelectionUI**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
+
+If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
+
+If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
+
+
+
+ADMX Info:
+- GP english name: *Do not display network selection UI*
+- GP name: *DontDisplayNetworkSelectionUI*
+- GP ADMX file name: *logon.admx*
+
+
+
+
+**WindowsLogon/HideFastUserSwitching**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ |
+ 2 |
+ 2 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
+
+
Value type is bool. The following list shows the supported values:
+
+- 0 (default) - Diabled (visible).
+- 1 - Enabled (hidden).
+
+
To validate on Desktop, do the following:
+
+1. Enable policy.
+2. Verify that the Switch account button in Start is hidden.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
new file mode 100644
index 0000000000..ab4b3cb9d6
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -0,0 +1,239 @@
+---
+title: Policy CSP - WirelessDisplay
+description: Policy CSP - WirelessDisplay
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+---
+
+# Policy CSP - WirelessDisplay
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+
+
+
+## WirelessDisplay policies
+
+
+**WirelessDisplay/AllowProjectionFromPC**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
+
+- 0 - your PC cannot discover or project to other devices.
+- 1 - your PC can discover and project to other devices
+
+
+
+
+**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
+
+- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct.
+- 1 - your PC can discover and project to other devices over infrastructure.
+
+
+
+
+**WirelessDisplay/AllowProjectionToPC**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
+
+
If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
+
+
Value type is integer. Valid value:
+
+- 0 - projection to PC is not allowed. Always off and the user cannot enable it.
+- 1 (default) - projection to PC is allowed. Enabled only above the lock screen.
+
+
+
+
+**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
+
+- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct.
+- 1 - your PC is discoverable and other devices can project to it over infrastructure.
+
+
+
+
+**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+ 2 |
+
+
+
+
+
+Added in Windows 10, version 1703.
+
+
+
+
+**WirelessDisplay/RequirePinForPairing**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 1 |
+ |
+ 1 |
+ 1 |
+ |
+ |
+
+
+
+
+
+Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
+
+
If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
+
+
Value type is integer. Valid value:
+
+- 0 (default) - PIN is not required.
+- 1 - PIN is required.
+
+
+
+
+
+Footnote:
+
+- 1 - Added in Windows 10, version 1607.
+- 2 - Added in Windows 10, version 1703.
+- 3 - Added in Windows 10, version 1709.
+
+
+
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index c982bb06b0..05e8da9fa3 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/07/2017
---
# VPNv2 CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device.
@@ -45,8 +47,6 @@ Supported operations include Get, Add, and Delete.
> **Note** If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
-
-
**VPNv2/***ProfileName***/AppTriggerList**
Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
@@ -91,6 +91,11 @@ The subnet prefix size part of the destination prefix for the route entry. This,
Value type is int. Supported operations include Get, Add, Replace, and Delete.
+**VPNv2/***ProfileName***/RouteList/***routeRowId***/Metric**
+Added in Windows 10, version 1607. The route's metric.
+
+Value type is int. Supported operations include Get, Add, Replace, and Delete.
+
**VPNv2/***ProfileName***/RouteList/***routeRowId***/ExclusionRoute**
Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values:
@@ -261,7 +266,7 @@ Valid values:
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/***ProfileName***/LockDown**
+**VPNv2/***ProfileName***/LockDown** (./Device only profile)
Lockdown profile.
Valid values:
@@ -280,6 +285,24 @@ A Lockdown profile must be deleted before you can add, remove, or connect other
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+**VPNv2/***ProfileName***/DeviceTunnel** (./Device only profile)
+Device tunnel profile.
+
+Valid values:
+
+- False (default) - this is not a device tunnel profile.
+- True - this is a device tunnel profile.
+
+When the DeviceTunnel profile is turned on, it does the following things:
+
+- First, it automatically becomes an "always on" profile.
+- Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
+- Third, no other device tunnel profile maybe be present on the same machine.
+
+A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
+
+Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+
**VPNv2/***ProfileName***/DnsSuffix**
Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
@@ -493,6 +516,8 @@ The following list contains the valid values:
- AES128
- AES192
- AES256
+- AES\_GCM_128
+- AES\_GCM_256
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -542,6 +567,11 @@ Added in Windows 10, version 1607. The preshared key used for an L2TP connectio
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+**VPNv2/***ProfileName***/NativeProfile/DisableClassBasedDefaultRoute**
+Added in Windows 10, version 1607. Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+
+Value type is bool. Supported operations include Get, Add, Replace, and Delete.
+
## Examples
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index f85acf61e2..1312ba1a63 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -7,11 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/07/2017
---
# VPNv2 DDF file
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **VPNv2** configuration service provider.
@@ -20,7 +22,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
``` syntax
@@ -33,7 +35,7 @@ The XML below is the current version for this CSP.
1.2
VPNv2
- ./Vendor/MSFT
+ ./Device/Vendor/MSFT
@@ -48,7 +50,7 @@ The XML below is the current version for this CSP.
- com.microsoft/1.2/MDM/VPNv2
+ com.microsoft/1.3/MDM/VPNv2
@@ -310,7 +312,7 @@ The XML below is the current version for this CSP.
-
+
False = This Route will direct traffic over the VPN
True = This Route will direct traffic over the physical interface
By default, this value is false.
@@ -953,6 +955,43 @@ The XML below is the current version for this CSP.
+
+ DeviceTunnel
+
+
+
+
+
+
+
+
+ False = This is not a Device Tunnel profile and it is the default value.
+ True = This is a Device Tunnel profile.
+
+ If turned on a device tunnel profile does four things.
+ First, it automatically becomes an always on profile.
+ Second, it does not require the presence or logging in
+ of any user to the machine in order for it to connect.
+ Third, no other Device Tunnel profile maybe be present on the
+ Same machine.
+
+ A device tunnel profile must be deleted before another device tunnel
+ profile can be added, removed, or connected.
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
DnsSuffix
@@ -1996,6 +2035,8 @@ The XML below is the current version for this CSP.
-- AES128
-- AES192
-- AES256
+ -- AES_GCM_128
+ -- AES_GCM_256
@@ -2180,7 +2221,7 @@ The XML below is the current version for this CSP.
-
+ com.microsoft/1.3/MDM/VPNv2
@@ -4087,6 +4128,8 @@ The XML below is the current version for this CSP.
-- AES128
-- AES192
-- AES256
+ -- AES_GCM_128
+ -- AES_GCM_256
@@ -4255,14 +4298,4 @@ The XML below is the current version for this CSP.
-```
-
-
-
-
-
-
-
-
-
-
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index b4b671369b..665ae99cae 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -12,6 +12,9 @@ ms.date: 06/19/2017
# WindowsAdvancedThreatProtection CSP
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index 00afc29c8a..196883556d 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -12,6 +12,9 @@ ms.date: 06/19/2017
# WindowsAdvancedThreatProtection DDF file
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
This topic shows the OMA DM device description framework (DDF) for the **WindowsAdvancedThreatProtection** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 7dc9c4e629..26766b5852 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -1,19 +1,47 @@
-# [Deploy, Upgrade and Update Windows 10](index.md)
+# [Deploy and update Windows 10](index.md)
-## Deploy Windows 10
-### [What's new in Windows 10 deployment](deploy-whats-new.md)
+## [What's new in Windows 10 deployment](deploy-whats-new.md)
+## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+## [Windows 10 Enterprise E3 in CSP overview](windows-10-enterprise-e3-overview.md)
+## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
+
+## [Deploy Windows 10](deploy.md)
+### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
+### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
+
+
+### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
+#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
+#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
+#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
+##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
+#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
+##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
+##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
+##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
+##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
+##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
+#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
+
+### [Windows 10 deployment test lab](windows-10-poc.md)
+#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
+#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
### [Plan for Windows 10 deployment](planning/index.md)
#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md)
#### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
#### [Windows 10 compatibility](planning/windows-10-compatibility.md)
#### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md)
-#### [Windows To Go: feature overview](planning/windows-to-go-overview.md)
-##### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md)
-##### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md)
-##### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md)
-##### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
-##### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md)
+
+#### [Volume Activation [client]](volume-activation/volume-activation-windows-10.md)
+##### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md)
+##### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md)
+##### [Activate using Active Directory-based activation [client]](volume-activation/activate-using-active-directory-based-activation-client.md)
+##### [Activate clients running Windows 10](volume-activation/activate-windows-10-clients-vamt.md)
+##### [Monitor activation [client]](volume-activation/monitor-activation-client.md)
+##### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md)
+##### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md)
+
#### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md)
##### [SUA User's Guide](planning/sua-users-guide.md)
###### [Using the SUA Wizard](planning/using-the-sua-wizard.md)
@@ -39,15 +67,67 @@
####### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md)
###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md)
##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
+
#### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
-### [Overview of Windows AutoPilot](windows-10-auto-pilot.md)
-### [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-### [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)
-#### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+
+### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
+##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
+##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
+##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
+#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
+#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
+#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
+#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
+#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
+##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
+##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
+##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
+##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md)
+##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md)
+##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
+##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
+
+
+
+### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
+#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
+#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
+#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+
+
+
+
+### [Windows 10 deployment tools](windows-10-deployment-tools-reference.md)
+
+#### [Convert MBR partition to GPT](mbr-to-gpt.md)
+#### [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
#### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
+
+#### [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
+##### [Windows To Go: feature overview](planning/windows-to-go-overview.md)
+###### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md)
+###### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md)
+###### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md)
+###### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
+###### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md)
+
#### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
##### [Introduction to VAMT](volume-activation/introduction-vamt.md)
##### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md)
@@ -132,64 +212,7 @@
####### [XML Elements Library](usmt/usmt-xml-elements-library.md)
###### [Offline Migration Reference](usmt/offline-migration-reference.md)
-### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
-#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
-#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
-#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
-#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
-#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
-#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
-
-### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
-##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
-##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
-##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
-#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
-#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
-#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
-#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
-#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
-#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
-##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
-##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
-##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
-##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md)
-##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md)
-##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
-##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
-#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-
-### [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-
-## Upgrade to Windows 10
-### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
-### [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
-### [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
-### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
-#### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md)
-#### [Upgrade Readiness requirements](upgrade/upgrade-readiness-requirements.md)
-#### [Get started with Upgrade Readiness](upgrade/upgrade-readiness-get-started.md)
-##### [Upgrade Readiness deployment script](upgrade/upgrade-readiness-deployment-script.md)
-#### [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)
-##### [Upgrade overview](upgrade/upgrade-readiness-upgrade-overview.md)
-##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md)
-##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
-##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
-##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
-#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
-### [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
+### [Change history for deploy Windows 10](change-history-for-deploy-windows-10.md)
## [Update Windows 10](update/index.md)
### [Quick guide to Windows as a service](update/waas-quick-start.md)
@@ -218,18 +241,8 @@
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
-## [Convert MBR partition to GPT](mbr-to-gpt.md)
-## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
-## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
-## [Volume Activation [client]](volume-activation/volume-activation-windows-10.md)
-### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md)
-### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md)
-### [Activate using Active Directory-based activation [client]](volume-activation/activate-using-active-directory-based-activation-client.md)
-### [Activate clients running Windows 10](volume-activation/activate-windows-10-clients-vamt.md)
-### [Monitor activation [client]](volume-activation/monitor-activation-client.md)
-### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md)
-### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md)
-## [Change history for Deploy, Upgrade and Update Windows 10](change-history-for-deploy-windows-10.md)
\ No newline at end of file
+
+## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
+
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
new file mode 100644
index 0000000000..429f29de1a
--- /dev/null
+++ b/windows/deployment/deploy.md
@@ -0,0 +1,34 @@
+---
+title: Deploy Windows 10 (Windows 10)
+description: Deploying Windows 10 for IT professionals.
+ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+localizationpriority: high
+author: greg-lindsay
+---
+
+# Deploy Windows 10
+
+Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
+
+
+|Topic |Description |
+|------|------------|
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/index.md b/windows/deployment/index.md
index 6b815392d2..1705124e4a 100644
--- a/windows/deployment/index.md
+++ b/windows/deployment/index.md
@@ -1,6 +1,6 @@
---
-title: Deploy Windows 10 (Windows 10)
-description: Learn about deploying Windows 10 for IT professionals.
+title: Deploy and update Windows 10 (Windows 10)
+description: Deploying and updating Windows 10 for IT professionals.
ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,34 +9,37 @@ localizationpriority: high
author: greg-lindsay
---
-# Deploy, Upgrade and Update Windows 10
-Learn about deployment in Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous versions and updating Windows 10.
+# Deploy and update Windows 10
-## In this section
+Learn about deployment in Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous versions and updating Windows 10. The following sections and topics are available.
-
-### Deploy Windows 10
|Topic |Description |
|------|------------|
|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
-|[Plan for Windows 10 deployment](planning/index.md) | This topic provides information about Windows 10 deployment considerations. It also provides details to assist in Windows 10 deployment planning. |
|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
-|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
-|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Windows 10 Enterprise E3 in CSP overview](deploy-whats-new.md) |Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. |
+|[Resolve Windows 10 upgrade errors](windows-10-enterprise-e3-overview.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
+
+
+## Deploy Windows 10
+
+Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
-### Upgrade to Windows 10
|Topic |Description |
|------|------------|
-|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
-|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
-|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
-|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
+
+## Update Windows 10
+
+Information is provided about keeping Windows 10 up-to-date.
-### Update Windows 10
|Topic |Description |
|------|------------|
| [Quick guide to Windows as a service](update/waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. |
@@ -54,14 +57,11 @@ Learn about deployment in Windows 10 for IT professionals. This includes deploy
| [Manage additional Windows Update settings](update/waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
| [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
-### Additional topics
+## Additional topics
+
|Topic |Description |
|------|------------|
-|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
-|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
-|[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) |Sideload line-of-business apps in Windows 10. |
-|[Volume Activation [client]](volume-activation/volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
-|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). |
+|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 1c88ea8fb5..0b33aa08b4 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -7,6 +7,7 @@ ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
+ms.date: 07/05/2017
---
# Manage device restarts after updates
@@ -130,10 +131,10 @@ In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarnin
### Engaged restart
-Engaged restart is the period of time when users are required to schedule a restart. When this period ends (7 days by default), Windows transitions to auto-restart outside of active hours.
+Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts.
The following settings can be adjusted for engaged restart:
-* Period of time before engaged restart transitions to auto-restart.
+* Period of time before auto-restart transitions to engaged restart.
* The number of days that users can snooze engaged restart reminder notifications.
* The number of days before a pending restart automatically executes outside of working hours.
diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md
index 7413ecc71c..e61588a105 100644
--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@@ -68,14 +68,10 @@ MDM enrollment ensures policies are applied, apps are installed and setting are
In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf.
-If you would like to capture that information by yourself, the following PowerShell script will generate a text file with the device's hardware ID.
+If you would like to capture that information by yourself, the following [PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) will generate a csv file with the devices' hardware ID.
-```PowerShell
-$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"
-$wmi.DeviceHardwareData | Out-File "$($env:COMPUTERNAME).txt"
-```
>[!NOTE]
->This PowerShell script requires elevated permissions. The output format might not fit the upload method. Check out the Microsoft Store for Business or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) for additional guidance.
+>This PowerShell script requires elevated permissions.
By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization.
Additional options and customization is available through these portals to pre-configure the devices.
@@ -88,7 +84,7 @@ Options available for Windows 10, Version 1703:
We are working to add additional options to further personalize and streamline the setup experience in future releases.
-To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for Microsoft Store for Business or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
+To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for [Microsoft Store for Business](/store-for-business/add-profile-to-devices.md) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
### IT-Driven
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index a6b000c3e9..2a08717439 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -1,5 +1,5 @@
---
-title: Windows 10 deployment tools reference (Windows 10)
+title: Windows 10 deployment tools (Windows 10)
description: Learn about the tools available to deploy Windows 10.
ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.prod: w10
@@ -8,7 +8,7 @@ ms.sitesec: library
author: greg-lindsay
---
-# Windows 10 deployment tools reference
+# Windows 10 deployment tools
Learn about the tools available to deploy Windows 10.
@@ -29,7 +29,7 @@ Learn about the tools available to deploy Windows 10.
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) |
+[Windows 10 deployment tools reference](windows-deployment-scenarios-and-tools.md) |
To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index c3861f8fe5..5e807ab7d6 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -1,5 +1,5 @@
---
-title: Windows 10 Enterprise E3 in CSP Overview
+title: Windows 10 Enterprise E3 in CSP overview
description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition.
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
@@ -10,7 +10,7 @@ ms.pagetype: mdt
author: greg-lindsay
---
-# Windows 10 Enterprise E3 in CSP Overview
+# Windows 10 Enterprise E3 in CSP overview
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index a159244f1a..d1fe29aa6f 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -9,7 +9,7 @@ ms.sitesec: library
author: mtniehaus
---
-# Windows 10 deployment tools
+# Windows 10 deployment tools reference
To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 9714c77347..0e0d0232d6 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -82,9 +82,15 @@
## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
-### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
-### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+
+### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+
+### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+
+
### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
+
+
### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
#### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
@@ -95,6 +101,8 @@
##### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
##### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
##### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+
### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
##### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
@@ -109,6 +117,8 @@
##### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
##### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
##### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
+
+
### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
#### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
##### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
@@ -120,24 +130,28 @@
#### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
#### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
#### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+
+
### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
+
+
+
### [Reference topics for management and configuration tools](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
#### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
#### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
#### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
#### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
#### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
+
## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
+
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
-#### [Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
-##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
-##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
-#### [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
-##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
-##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
+#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
+##### [Deploy your Windows Information Protection (WIP) policy](windows-information-protection\deploy-wip-policy-using-intune.md)
+##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)
@@ -150,10 +164,13 @@
#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md)
#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md)
#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
+
## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
-## [Secure the windows 10 boot process](secure-the-windows-10-boot-process.md)
+
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
+
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Change history for Threat Protection](change-history-for-threat-protection.md)
\ No newline at end of file
+
+## [Change history for Threat Protection](change-history-for-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index db1498b7bd..eaaccf94c2 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -10,14 +10,17 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
---
-# Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans
+# Configure and validate exclusions for Windows Defender AV scans (client)
**Applies to:**
- Windows 10
+- Windows Server 2016
**Audience**
@@ -39,6 +42,8 @@ The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defen
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
+Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender AV exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
+
>[!WARNING]
>Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 3d78deccde..193a5043bf 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
---
# Configure and validate exclusions based on file extension and folder location
@@ -18,6 +20,7 @@ author: iaanw
**Applies to:**
- Windows 10
+- Windows Server 2016
**Audience**
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index 50dbbe12a6..7e45146ca4 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
---
# Configure exclusions for files opened by processes
@@ -17,6 +19,7 @@ author: iaanw
**Applies to:**
- Windows 10
+- Windows Server 2016
**Audience**
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index c293dd3358..6302c7bd01 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -10,9 +10,11 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
---
-# Configure exclusions in Windows Defender AV on Windows Server 2016
+# Configure exclusions in Windows Defender AV on Windows Server
**Applies to:**
@@ -30,14 +32,28 @@ author: iaanw
- PowerShell
- Windows Management Instrumentation (WMI)
-If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role.
+If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are automatically enrolled in certain exclusions, as defined by your specified Windows Server Role. A list of these exclusions is provided at [the end of this topic](#list-of-automatic-exclusions).
These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
-You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other exclusion-related topics:
+You can still add or remove custom exclusions (in addition to the Server Role-defined automatic exclusions) as described in the other exclusion-related topics:
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+Custom exclusions take precedence over the automatic exclusions.
+
+> [!TIP]
+> Custom and duplicate exclusions do not conflict with automatic exclusions.
+
+Windows Defender AV uses the Deployment Image Servicing and Management (DSIM) tools to determine which roles are installed on your computer.
+
+
+## Opt out of automatic exclusions
+
+In Windows Server 2016 the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt-out of the automatic exclusions delivered in definition updates.
+
+> [!WARNING]
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
@@ -58,7 +74,7 @@ You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets,
Use the following cmdlets:
```PowerShell
-Set-MpPreference -DisableAutoExclusions
+Set-MpPreference -DisableAutoExclusions $true
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
@@ -75,9 +91,312 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+## List of automatic exclusions
+The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
+
+### Default exclusions for all roles
+This section lists the default exclusions for all Windows Server 2016 roles.
+
+- Windows "temp.edb" files:
+
+ - *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
+
+ - *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
+
+- Windows Update files or Automatic Update files:
+
+ - *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
+
+ - *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
+
+ - *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
+
+ - *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
+
+ - *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
+
+- Windows Security files:
+
+ - *%windir%*\Security\database\\*.chk
+
+ - *%windir%*\Security\database\\*.edb
+
+ - *%windir%*\Security\database\\*.jrs
+
+ - *%windir%*\Security\database\\*.log
+
+ - *%windir%*\Security\database\\*.sdb
+
+- Group Policy files:
+
+ - *%allusersprofile%*\NTUser.pol
+
+ - *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
+
+ - *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
+
+- WINS files:
+
+ - *%systemroot%*\System32\Wins\\*\\\*.chk
+
+ - *%systemroot%*\System32\Wins\\*\\\*.log
+
+ - *%systemroot%*\System32\Wins\\*\\\*.mdb
+
+ - *%systemroot%*\System32\LogFiles\
+
+ - *%systemroot%*\SysWow64\LogFiles\
+
+- File Replication Service (FRS) exclusions:
+
+ - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
+
+ - *%windir%*\Ntfrs\jet\sys\\*\edb.chk
+
+ - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
+
+ - *%windir%*\Ntfrs\jet\log\\*\\\*.log
+
+ - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
+
+ - *%windir%*\Ntfrs\\*\Edb\*.log
+
+ - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+
+ - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
+
+ - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
+
+ - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
+
+ - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
+
+ - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
+
+ - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
+
+ - *%systemdrive%*\System Volume Information\DFSR\\*.XML
+
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
+
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
+
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
+
+ - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
+
+ - *%systemdrive%*\System Volume Information\DFSR\\*.frx
+
+ - *%systemdrive%*\System Volume Information\DFSR\\*.log
+
+ - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
+
+ - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
+
+- Process exclusions
+
+ - *%systemroot%*\System32\dfsr.exe
+
+ - *%systemroot%*\System32\dfsrs.exe
+
+- Hyper-V exclusions:
+
+ - This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
+
+ - File type exclusions:
+
+ - *.vhd
+
+ - *.vhdx
+
+ - *.avhd
+
+ - *.avhdx
+
+ - *.vsv
+
+ - *.iso
+
+ - *.rct
+
+ - *.vmcx
+
+ - *.vmrs
+
+ - Folder exclusions:
+
+ - *%ProgramData%*\Microsoft\Windows\Hyper-V
+
+ - *%ProgramFiles%*\Hyper-V
+
+ - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
+
+ - *%Public%*\Documents\Hyper-V\Virtual Hard Disks
+
+ - Process exclusions:
+
+ - *%systemroot%*\System32\Vmms.exe
+
+ - *%systemroot%*\System32\Vmwp.exe
+
+- SYSVOL files:
+
+ - *%systemroot%*\Sysvol\Domain\\*.adm
+
+ - *%systemroot%*\Sysvol\Domain\\*.admx
+
+ - *%systemroot%*\Sysvol\Domain\\*.adml
+
+ - *%systemroot%*\Sysvol\Domain\Registry.pol
+
+ - *%systemroot%*\Sysvol\Domain\\*.aas
+
+ - *%systemroot%*\Sysvol\Domain\\*.inf
+
+ - *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
+
+ - *%systemroot%*\Sysvol\Domain\\*.ins
+
+ - *%systemroot%*\Sysvol\Domain\Oscfilter.ini
+
+### Active Directory exclusions
+This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
+
+- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
+
+ - %windir%\Ntds\ntds.dit
+
+ - %windir%\Ntds\ntds.pat
+
+- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
+
+ - %windir%\Ntds\EDB*.log
+
+ - %windir%\Ntds\Res*.log
+
+ - %windir%\Ntds\Edb*.jrs
+
+ - %windir%\Ntds\Ntds*.pat
+
+ - %windir%\Ntds\EDB*.log
+
+ - %windir%\Ntds\TEMP.edb
+
+- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
+
+ - %windir%\Ntds\Temp.edb
+
+ - %windir%\Ntds\Edb.chk
+
+- Process exclusions for AD DS and AD DS-related support files:
+
+ - %systemroot%\System32\ntfrs.exe
+
+ - %systemroot%\System32\lsass.exe
+
+### DHCP Server exclusions
+This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
+
+- *%systemroot%*\System32\DHCP\\*\\\*.mdb
+
+- *%systemroot%*\System32\DHCP\\*\\\*.pat
+
+- *%systemroot%*\System32\DHCP\\*\\\*.log
+
+- *%systemroot%*\System32\DHCP\\*\\\*.chk
+
+- *%systemroot%*\System32\DHCP\\*\\\*.edb
+
+### DNS Server exclusions
+This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
+
+- File and folder exclusions for the DNS Server role:
+
+ - *%systemroot%*\System32\Dns\\*\\\*.log
+
+ - *%systemroot%*\System32\Dns\\*\\\*.dns
+
+ - *%systemroot%*\System32\Dns\\*\\\*.scc
+
+ - *%systemroot%*\System32\Dns\\*\BOOT
+
+- Process exclusions for the DNS Server role:
+
+ - *%systemroot%*\System32\dns.exe
+
+
+
+### File and Storage Services exclusions
+This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
+
+- *%SystemDrive%*\ClusterStorage
+
+- *%clusterserviceaccount%*\Local Settings\Temp
+
+- *%SystemDrive%*\mscs
+
+### Print Server exclusions
+This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
+
+- File type exclusions:
+
+ - *.shd
+
+ - *.spl
+
+- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
+
+ - *%system32%*\spool\printers\\*
+
+- Process exclusions:
+
+ - spoolsv.exe
+
+### Web Server exclusions
+This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
+
+- Folder exclusions:
+
+ - *%SystemRoot%*\IIS Temporary Compressed Files
+
+ - *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
+
+ - *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
+
+ - *%systemDrive%*\inetpub\logs
+
+ - *%systemDrive%*\inetpub\wwwroot
+
+- Process exclusions:
+
+ - *%SystemRoot%*\system32\inetsrv\w3wp.exe
+
+ - *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
+
+ - *%SystemDrive%*\PHP5433\php-cgi.exe
+
+### Windows Server Update Services exclusions
+This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
+
+- *%systemroot%*\WSUS\WSUSContent
+
+- *%systemroot%*\WSUS\UpdateServicesDBFiles
+
+- *%systemroot%*\SoftwareDistribution\Datastore
+
+- *%systemroot%*\SoftwareDistribution\Download
+
+
+
+
## Related topics
-- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index 4e7c275117..ed872bc01d 100644
--- a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
---
# Review event logs and error codes to troubleshoot issues with Windows Defender AV
@@ -17,6 +19,7 @@ author: iaanw
**Applies to**
- Windows 10
+- Windows Server 2016
**Audience**
@@ -27,55 +30,58 @@ If you encounter a problem with Windows Defender Antivirus, you can search the t
The tables list:
-- [Windows Defender AV client event IDs](#windows-defender-av-ids)
+- [Windows Defender AV event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
- [Windows Defender AV client error codes](#error-codes)
- [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes)
-## Windows Defender AV client event IDs
+## Windows Defender AV event IDs
Windows Defender AV records event IDs in the Windows event log.
You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
-The table in this section lists the main Windows Defender Antivirus client event IDs and, where possible, provides suggested solutions to fix or resolve the error.
+The table in this section lists the main Windows Defender AV event IDs and, where possible, provides suggested solutions to fix or resolve the error.
-**To view a Windows Defender client event**
+**To view a Windows Defender AV event**
1. Open **Event Viewer**.
-2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
+2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
3. Double-click on **Operational**.
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
-
+
+
+
+
+| Event ID: 1000 |
+
-| Event ID: 1000 |
- Symbolic name:
+Symbolic name:
|
-
- MALWAREPROTECTION_SCAN_STARTED
+ |
+MALWAREPROTECTION_SCAN_STARTED
|
|
- Message:
+Message:
|
-
- An antimalware scan started.
-
+ |
+An antimalware scan started.
+
|
-|
- Description:
+ |
+Description:
|
-
-
+ |
- Scan ID: <ID number of the relevant scan.>
- Scan Type: <Scan type>, for example:
@@ -93,32 +99,31 @@ The table in this section lists the main Windows Defender Antivirus client event
- Scan Resources: <Resources (such as files/directories/BHO) that were scanned.>
- User: <Domain>\\<User>
-
|
-| Event ID: 1001 |
-
- Symbolic name:
+ | Event ID: 1001 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SCAN_COMPLETED
+ |
+MALWAREPROTECTION_SCAN_COMPLETED
|
|
- Message:
+Message:
|
-
- An antimalware scan finished.
+ |
+An antimalware scan finished.
|
|
- Description:
+Description:
|
-
-
+ |
- Scan ID: <ID number of the relevant scan.>
- Scan Type: <Scan type>, for example:
@@ -136,34 +141,33 @@ The table in this section lists the main Windows Defender Antivirus client event
- User: <Domain>\\<User>
- Scan Time: <The duration of a scan.>
-
|
-| Event ID: 1002 |
-
- Symbolic name:
+ | Event ID: 1002 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SCAN_CANCELLED
-
+ |
+MALWAREPROTECTION_SCAN_CANCELLED
+
|
|
- Message:
+Message:
|
-
- An antimalware scan was stopped before it finished.
-
+ |
+An antimalware scan was stopped before it finished.
+
|
|
- Description:
+Description:
|
-
-
+ |
- Scan ID: <ID number of the relevant scan.>
- Scan Type: <Scan type>, for example:
@@ -181,34 +185,33 @@ The table in this section lists the main Windows Defender Antivirus client event
- User: <Domain>\<User>
- Scan Time: <The duration of a scan.>
-
|
-| Event ID: 1003 |
-
- Symbolic name:
+ | Event ID: 1003 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SCAN_PAUSED
-
+ |
+MALWAREPROTECTION_SCAN_PAUSED
+
|
|
- Message:
+Message:
|
-
- An antimalware scan was paused.
-
+ |
+An antimalware scan was paused.
+
|
|
- Description:
+Description:
|
-
-
+ |
- Scan ID: <ID number of the relevant scan.>
- Scan Type: <Scan type>, for example:
@@ -225,34 +228,33 @@ The table in this section lists the main Windows Defender Antivirus client event
- User: <Domain>\\<User>
-
|
-| Event ID: 1004 |
-
- Symbolic name:
+ | Event ID: 1004 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SCAN_RESUMED
-
+ |
+MALWAREPROTECTION_SCAN_RESUMED
+
|
|
- Message:
+Message:
|
-
- An antimalware scan was resumed.
-
+ |
+An antimalware scan was resumed.
+
|
|
- Description:
+Description:
|
-
-
+ |
- Scan ID: <ID number of the relevant scan.>
- Scan Type: <Scan type>, for example:
@@ -269,34 +271,33 @@ The table in this section lists the main Windows Defender Antivirus client event
- User: <Domain>\\<User>
-
|
-| Event ID: 1005 |
-
- Symbolic name:
+ | Event ID: 1005 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SCAN_FAILED
-
+ |
+MALWAREPROTECTION_SCAN_FAILED
+
|
|
- Message:
+Message:
|
-
- An antimalware scan failed.
-
+ |
+An antimalware scan failed.
+
|
|
- Description:
+Description:
|
-
-
+ |
- Scan ID: <ID number of the relevant scan.>
- Scan Type: <Scan type>, for example:
@@ -317,52 +318,49 @@ Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
Description of the error.
-
|
|
- User action:
+User action:
|
-
- The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
-
-To troubleshoot this event:
+ |
+The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
+To troubleshoot this event:
- Run the scan again.
- If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
- Contact Microsoft Technical Support.
-
|
-| Event ID: 1006 |
-
- Symbolic name:
+ | Event ID: 1006 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_MALWARE_DETECTED
-
+ |
+MALWAREPROTECTION_MALWARE_DETECTED
+
|
|
- Message:
+Message:
|
-
- The antimalware engine found malware or other potentially unwanted software.
-
+ |
+The antimalware engine found malware or other potentially unwanted software.
+
|
|
- Description:
+Description:
|
-
-
- For more information please see the following:
+ |
+For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -408,35 +406,34 @@ UAC
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
-| Event ID: 1007 |
-
- Symbolic name:
+ | Event ID: 1007 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_MALWARE_ACTION_TAKEN
-
+ |
+MALWAREPROTECTION_MALWARE_ACTION_TAKEN
+
|
|
- Message:
+Message:
|
-
- The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-
+ |
+The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
+ |
+Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
- User: <Domain>\\<User>
- Name: <Threat name>
@@ -463,33 +460,32 @@ UAC
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
-| Event ID: 1008 |
-
- Symbolic name:
+ | Event ID: 1008 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_MALWARE_ACTION_FAILED
+ |
+MALWAREPROTECTION_MALWARE_ACTION_FAILED
|
|
- Message:
+Message:
|
-
- The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
+ |
+The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
+ |
+Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
- User: <Domain>\\<User>
- Name: <Threat name>
@@ -521,35 +517,34 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
-| Event ID: 1009 |
-
- Symbolic name:
+ | Event ID: 1009 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_QUARANTINE_RESTORE
-
+ |
+MALWAREPROTECTION_QUARANTINE_RESTORE
+
|
|
- Message:
+Message:
|
-
- The antimalware platform restored an item from quarantine.
-
+ |
+The antimalware platform restored an item from quarantine.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has restored an item from quarantine. For more information please see the following:
+ |
+Windows Defender has restored an item from quarantine. For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -566,35 +561,34 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
-| Event ID: 1010 |
-
- Symbolic name:
+ | Event ID: 1010 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
-
+ |
+MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
+
|
|
- Message:
+Message:
|
-
- The antimalware platform could not restore an item from quarantine.
-
+ |
+The antimalware platform could not restore an item from quarantine.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:
+ |
+Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -615,35 +609,34 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
-| Event ID: 1011 |
-
- Symbolic name:
+ | Event ID: 1011 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_QUARANTINE_DELETE
+ |
+MALWAREPROTECTION_QUARANTINE_DELETE
|
|
- Message:
+Message:
|
-
- The antimalware platform deleted an item from quarantine.
-
+ |
+The antimalware platform deleted an item from quarantine.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has deleted an item from quarantine.
-For more information please see the following:
+ |
+Windows Defender has deleted an item from quarantine.
+For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -660,35 +653,34 @@ For more information please see the following:
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
-| Event ID: 1012 |
-
- Symbolic name:
+ | Event ID: 1012 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
-
+ |
+MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
+
|
|
- Message:
+Message:
|
-
- The antimalware platform could not delete an item from quarantine.
+ |
+The antimalware platform could not delete an item from quarantine.
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to delete an item from quarantine.
-For more information please see the following:
+ |
+Windows Defender has encountered an error trying to delete an item from quarantine.
+For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -709,66 +701,64 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
-| Event ID: 1013 |
-
- Symbolic name:
+ | Event ID: 1013 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_MALWARE_HISTORY_DELETE
-
+ |
+MALWAREPROTECTION_MALWARE_HISTORY_DELETE
+
|
|
- Message:
+Message:
|
-
- The antimalware platform deleted history of malware and other potentially unwanted software.
+ |
+The antimalware platform deleted history of malware and other potentially unwanted software.
|
|
- Description:
+Description:
|
-
-
- Windows Defender has removed history of malware and other potentially unwanted software.
+ |
+Windows Defender has removed history of malware and other potentially unwanted software.
- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\\<User>
-
|
-| Event ID: 1014 |
-
- Symbolic name:
+ | Event ID: 1014 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
-
+ |
+MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
+
|
|
- Message:
+Message:
|
-
- The antimalware platform could not delete history of malware and other potentially unwanted software.
+ |
+The antimalware platform could not delete history of malware and other potentially unwanted software.
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
+ |
+Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
- User: <Domain>\\<User>
@@ -777,35 +767,34 @@ Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
Description of the error.
-
|
-| Event ID: 1015 |
-
- Symbolic name:
+ | Event ID: 1015 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_BEHAVIOR_DETECTED
-
+ |
+MALWAREPROTECTION_BEHAVIOR_DETECTED
+
|
|
- Message:
+Message:
|
-
- The antimalware platform detected suspicious behavior.
+ |
+The antimalware platform detected suspicious behavior.
|
|
- Description:
+Description:
|
-
-
- Windows Defender has detected a suspicious behavior.
-For more information please see the following:
+ |
+Windows Defender has detected a suspicious behavior.
+For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -856,35 +845,34 @@ UAC
- Target File Name: <File name>
Name of the file.
-
|
-| Event ID: 1116 |
-
- Symbolic name:
+ | Event ID: 1116 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_STATE_MALWARE_DETECTED
+ |
+MALWAREPROTECTION_STATE_MALWARE_DETECTED
|
|
- Message:
+Message:
|
-
- The antimalware platform detected malware or other potentially unwanted software.
-
+ |
+The antimalware platform detected malware or other potentially unwanted software.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has detected malware or other potentially unwanted software.
-For more information please see the following:
+ |
+Windows Defender has detected malware or other potentially unwanted software.
+For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -930,44 +918,43 @@ UAC
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
|
- User action:
+User action:
|
-
- No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click Clean Computer.
+ |
+No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click Clean Computer.
|
-| Event ID: 1117 |
-
- Symbolic name:
+ | Event ID: 1117 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
-
+ |
+MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
+
|
|
- Message:
+Message:
|
-
- The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-
+ |
+The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.
-For more information please see the following:
+ |
+Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.
+For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1027,8 +1014,8 @@ Result code associated with threat status. Standard HRESULT values.
Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-NOTE:
- Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
+NOTE:
+Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
- Default Internet Explorer or Microsoft Edge setting
- User Access Control settings
- Chrome settings
@@ -1044,59 +1031,58 @@ The above context applies to the following client and server versions:
|
|
- Client Operating System
+Client Operating System
|
- Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later
+Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later
|
|
- Server Operating System
+Server Operating System
|
- Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016
+Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016
|
-
|
- User action:
+User action:
|
-
- No action is necessary. Windows Defender removed or quarantined a threat.
+ |
+No action is necessary. Windows Defender removed or quarantined a threat.
|
-| Event ID: 1118 |
-
- Symbolic name:
+ | Event ID: 1118 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED
+ |
+MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED
|
|
- Message:
+Message:
|
-
- The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
-
+ |
+The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.
-For more information please see the following:
+ |
+Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.
+For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1157,43 +1143,42 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
|
- User action:
+User action:
|
-
- No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.
+ |
+No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.
|
-| Event ID: 1119 |
-
- Symbolic name:
+ | Event ID: 1119 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
-
+ |
+MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
+
|
|
- Message:
+Message:
|
-
- The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.
+ |
+The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.
-For more information please see the following:
+ |
+Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.
+For more information please see the following:
- Name: <Threat name>
- ID: <Threat ID>
@@ -1254,15 +1239,14 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
|
- User action:
+User action:
|
-
- The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.
+ |
+The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.
| Action |
@@ -1270,153 +1254,150 @@ Description of the error.
|
- Remove
+Remove
|
- Update the definitions then verify that the removal was successful.
+Update the definitions then verify that the removal was successful.
|
|
- Clean
+Clean
|
- Update the definitions then verify that the remediation was successful.
+Update the definitions then verify that the remediation was successful.
|
|
- Quarantine
+Quarantine
|
- Update the definitions and verify that the user has permission to access the necessary resources.
+Update the definitions and verify that the user has permission to access the necessary resources.
|
|
- Allow
+Allow
|
- Verify that the user has permission to access the necessary resources.
+Verify that the user has permission to access the necessary resources.
|
-
-If this event persists:
+
+If this event persists:
- Run the scan again.
- If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
- Contact Microsoft Technical Support.
-
|
-| Event ID: 1120 |
-
- Symbolic name:
+ | Event ID: 1120 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_THREAT_HASH
+ |
+MALWAREPROTECTION_THREAT_HASH
|
|
- Message:
+Message:
|
-
- Windows Defender has deduced the hashes for a threat resource.
+ |
+Windows Defender has deduced the hashes for a threat resource.
|
|
- Description:
+Description:
|
-
-
- Windows Defender client is up and running in a healthy state.
+ |
+Windows Defender client is up and running in a healthy state.
- Current Platform Version: <Current platform version>
- Threat Resource Path: <Path>
- Hashes: <Hashes>
-
|
|
-
+ |
Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
|
-| Event ID: 1150 |
-
- Symbolic name:
+ | Event ID: 1150 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SERVICE_HEALTHY
+ |
+MALWAREPROTECTION_SERVICE_HEALTHY
|
|
- Message:
+Message:
|
-
- If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
-
+ |
+If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender client is up and running in a healthy state.
+ |
+Windows Defender client is up and running in a healthy state.
- Platform Version: <Current platform version>
- Signature Version: <Definition version>
- Engine Version: <Antimalware Engine version>
-
|
|
- User action:
+User action:
|
-
- No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
+ |
+No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
|
-| Event ID: 2000 |
-
- Symbolic name:
+ | Event ID: 2000 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SIGNATURE_UPDATED
-
+ |
+MALWAREPROTECTION_SIGNATURE_UPDATED
+
|
|
- Message:
+Message:
|
-
- The antimalware definitions updated successfully.
-
+ |
+The antimalware definitions updated successfully.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender signature version has been updated.
+ |
+Windows Defender signature version has been updated.
- Current Signature Version: <Current signature version>
- Previous Signature Version: <Previous signature version>
@@ -1432,42 +1413,41 @@ Description of the error.
- Current Engine Version: <Current engine version>
- Previous Engine Version: <Previous engine version>
-
|
|
- User action:
+User action:
|
-
- No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.
+ |
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.
|
-| Event ID: 2001 |
-
- Symbolic name:
+ | Event ID: 2001 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED
+ |
+MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED
|
|
- Message:
+Message:
|
-
- The antimalware definition update failed.
-
+ |
+The antimalware definition update failed.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to update signatures.
+ |
+Windows Defender has encountered an error trying to update signatures.
- New Signature Version: <New version number>
- Previous Signature Version: <Previous signature version>
@@ -1504,99 +1484,89 @@ Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
Description of the error.
-
|
|
- User action:
+User action:
|
-
- This error occurs when there is a problem updating definitions.
-To troubleshoot this event:
+ |
+This error occurs when there is a problem updating definitions.
+To troubleshoot this event:
-- Update the definitions. Either:
-- Click the Update definitions button on the Update tab in Windows Defender.
 Or,
-
-- Download the latest definitions from the Microsoft Malware Protection Center.
-
Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
-
-
-
+- [Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
- Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.
- Contact Microsoft Technical Support.
-
|
-| Event ID: 2002 |
-
- Symbolic name:
+ | Event ID: 2002 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_ENGINE_UPDATED
+ |
+MALWAREPROTECTION_ENGINE_UPDATED
|
|
- Message:
+Message:
|
-
- The antimalware engine updated successfully.
-
+ |
+The antimalware engine updated successfully.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender engine version has been updated.
+ |
+Windows Defender engine version has been updated.
- Current Engine Version: <Current engine version>
- Previous Engine Version: <Previous engine version>
- Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
- User: <Domain>\\<User>
-
|
|
- User action:
+User action:
|
-
- No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
+ |
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
|
-| Event ID: 2003 |
-
- Symbolic name:
+ | Event ID: 2003 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_ENGINE_UPDATE_FAILED
+ |
+MALWAREPROTECTION_ENGINE_UPDATE_FAILED
|
|
- Message:
+Message:
|
-
- The antimalware engine update failed.
-
+ |
+The antimalware engine update failed.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to update the engine.
+ |
+Windows Defender has encountered an error trying to update the engine.
- New Engine Version:
- Previous Engine Version: <Previous engine version>
@@ -1607,55 +1577,46 @@ Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
Description of the error.
-
|
|
- User action:
+User action:
|
-
- The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
-To troubleshoot this event:
+ |
+The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
+To troubleshoot this event:
-- Update the definitions. Either:
-- Click the Update definitions button on the Update tab in Windows Defender.
Or,
-
-- Download the latest definitions from the Microsoft Malware Protection Center.
-
Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
-
-
-
+- [Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
- Contact Microsoft Technical Support.
-
|
-| Event ID: 2004 |
-
- Symbolic name:
+ | Event ID: 2004 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SIGNATURE_REVERSION
+ |
+MALWAREPROTECTION_SIGNATURE_REVERSION
|
|
- Message:
+Message:
|
-
- There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.
+ |
+There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
+ |
+Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
- Signatures Attempted:
- Error Code: <Error code>
@@ -1665,83 +1626,80 @@ Description of the error.
- Signature Version: <Definition version>
- Engine Version: <Antimalware engine version>
-
|
|
- User action:
+User action:
|
-
- The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.
-To troubleshoot this event:
+ |
+The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.
+To troubleshoot this event:
- Restart the computer and try again.
- Download the latest definitions from the Microsoft Malware Protection Center.
-
Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
+Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
- Contact Microsoft Technical Support.
-
|
-| Event ID: 2005 |
-
- Symbolic name:
+ | Event ID: 2005 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE
+ |
+MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE
|
|
- Message:
+Message:
|
-
- The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.
+ |
+The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.
|
|
- Description:
+Description:
|
-
-
- Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.
+ |
+Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.
- Current Platform Version: <Current platform version>
-
|
-| Event ID: 2006 |
-
- Symbolic name:
+ | Event ID: 2006 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
-
+ |
+MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
+
|
|
- Message:
+Message:
|
-
- The platform update failed.
-
+ |
+The platform update failed.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to update the platform.
+ |
+Windows Defender has encountered an error trying to update the platform.
- Current Platform Version: <Current platform version>
- Error Code: <Error code>
@@ -1749,65 +1707,63 @@ Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
Description of the error.
-
|
-| Event ID: 2007 |
-
- Symbolic name:
+ | Event ID: 2007 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE
+ |
+MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE
|
|
- Message:
+Message:
|
-
- The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.
+ |
+The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.
|
|
- Description:
+Description:
|
-
-
- Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.
+ |
+Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.
- Current Platform Version: <Current platform version>
-
|
-| Event ID: 2010 |
-
- Symbolic name:
+ | Event ID: 2010 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
-
+ |
+MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
+
|
|
- Message:
+Message:
|
-
- The antimalware engine used the Dynamic Signature Service to get additional definitions.
-
+ |
+The antimalware engine used the Dynamic Signature Service to get additional definitions.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
+ |
+Windows Defender used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
- Current Signature Version: <Current signature version>
- Signature Type: <Signature type>, for example:
@@ -1838,35 +1794,34 @@ Description of the error.
- Persistence Limit: Persistence limit of the fastpath signature.
-
|
-| Event ID: 2011 |
-
- Symbolic name:
+ | Event ID: 2011 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
-
+ |
+MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
+
|
|
- Message:
+Message:
|
-
- The Dynamic Signature Service deleted the out-of-date dynamic definitions.
-
+ |
+The Dynamic Signature Service deleted the out-of-date dynamic definitions.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender used Dynamic Signature Service to discard obsolete signatures.
+ |
+Windows Defender used Dynamic Signature Service to discard obsolete signatures.
- Current Signature Version: <Current signature version>
- Signature Type: <Signature type>, for example:
@@ -1898,43 +1853,42 @@ Description of the error.
- Persistence Limit: Persistence limit of the fastpath signature.
-
|
|
- User action:
+User action:
|
-
- No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
+ |
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
|
-| Event ID: 2012 |
-
- Symbolic name:
+ | Event ID: 2012 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
-
+ |
+MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
+
|
|
- Message:
+Message:
|
-
- The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
-
+ |
+The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to use Dynamic Signature Service.
+ |
+Windows Defender has encountered an error trying to use Dynamic Signature Service.
- Current Signature Version: <Current signature version>
- Signature Type: <Signature type>, for example:
@@ -1969,109 +1923,106 @@ Description of the error.
- Persistence Limit: Persistence limit of the fastpath signature.
-
|
|
- User action:
+User action:
|
-
- Check your Internet connectivity settings.
+ |
+Check your Internet connectivity settings.
|
-| Event ID: 2013 |
-
- Symbolic name:
+ | Event ID: 2013 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
-
+ |
+MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
+
|
|
- Message:
+Message:
|
-
- The Dynamic Signature Service deleted all dynamic definitions.
-
+ |
+The Dynamic Signature Service deleted all dynamic definitions.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender discarded all Dynamic Signature Service signatures.
+ |
+Windows Defender discarded all Dynamic Signature Service signatures.
- Current Signature Version: <Current signature version>
-
|
-| Event ID: 2020 |
-
- Symbolic name:
+ | Event ID: 2020 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
-
+ |
+MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
+
|
|
- Message:
+Message:
|
-
- The antimalware engine downloaded a clean file.
-
+ |
+The antimalware engine downloaded a clean file.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender downloaded a clean file.
+ |
+Windows Defender downloaded a clean file.
- Filename: <File name>
Name of the file.
- Current Signature Version: <Current signature version>
- Current Engine Version: <Current engine version>
-
|
-| Event ID: 2021 |
-
- Symbolic name:
+ | Event ID: 2021 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED
+ |
+MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED
|
|
- Message:
+Message:
|
-
- The antimalware engine failed to download a clean file.
-
+ |
+The antimalware engine failed to download a clean file.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to download a clean file.
+ |
+Windows Defender has encountered an error trying to download a clean file.
- Filename: <File name>
Name of the file.
@@ -2082,185 +2033,185 @@ Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
Description of the error.
-
|
|
- User action:
+User action:
|
-
- Check your Internet connectivity settings.
-
-The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
-
+ |
+Check your Internet connectivity settings.
+The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
|
-| Event ID: 2030 |
-
- Symbolic name:
+ | Event ID: 2030 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED
+ |
+MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED
|
|
- Message:
+Message:
|
-
- The antimalware engine was downloaded and is configured to run offline on the next system restart.
+ |
+The antimalware engine was downloaded and is configured to run offline on the next system restart.
|
|
- Description:
+Description:
|
-
- Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.
+ |
+Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.
|
-| Event ID: 2031 |
-
- Symbolic name:
+ | Event ID: 2031 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
-
+ |
+MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
+
|
|
- Message:
+Message:
|
-
- The antimalware engine was unable to download and configure an offline scan.
+ |
+The antimalware engine was unable to download and configure an offline scan.
|
|
- Description:
+Description:
|
-
-
- Windows Defender has encountered an error trying to download and configure Windows Defender Offline.
+ |
+Windows Defender has encountered an error trying to download and configure Windows Defender Offline.
- Error Code: <Error code>
Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
Description of the error.
-
|
-| Event ID: 2040 |
-
- Symbolic name:
+ | Event ID: 2040 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_OS_EXPIRING
-
+ |
+MALWAREPROTECTION_OS_EXPIRING
+
|
|
- Message:
+Message:
|
-
- Antimalware support for this operating system version will soon end.
-
+ |
+Antimalware support for this operating system version will soon end.
+
|
|
- Description:
+Description:
|
-
- The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
+ |
+The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
|
-| Event ID: 2041 |
-
- Symbolic name:
+ | Event ID: 2041 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_OS_EOL
-
+ |
+MALWAREPROTECTION_OS_EOL
+
|
|
- Message:
+Message:
|
-
- Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
-
+ |
+Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
+
|
|
- Description:
+Description:
|
-
- The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
+ |
+The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
|
-| Event ID: 2042 |
-
- Symbolic name:
+ | Event ID: 2042 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_PROTECTION_EOL
-
+ |
+MALWAREPROTECTION_PROTECTION_EOL
+
|
|
- Message:
+Message:
|
-
- The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
-
+ |
+The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
+
|
|
- Description:
+Description:
|
-
- The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
+ |
+The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
|
-| Event ID: 3002 |
-
- Symbolic name:
+ | Event ID: 3002 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_RTP_FEATURE_FAILURE
-
+ |
+MALWAREPROTECTION_RTP_FEATURE_FAILURE
+
|
|
- Message:
+Message:
|
-
- Real-time protection encountered an error and failed.
+ |
+Real-time protection encountered an error and failed.
|
|
- Description:
+Description:
|
-
-
- Windows Defender Real-Time Protection feature has encountered an error and failed.
+ |
+Windows Defender Real-Time Protection feature has encountered an error and failed.
- Feature: <Feature>, for example:
@@ -2276,47 +2227,43 @@ Result code associated with threat status. Standard HRESULT values.
Description of the error.
- Reason: The reason Windows Defender real-time protection has restarted a feature.
-
|
|
- User action:
+User action:
|
-
- You should restart the system then run a full scan because it's possible the system was not protected for some time.
-
-The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start.
-
-If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
-
+ |
+You should restart the system then run a full scan because it's possible the system was not protected for some time.
+The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start.
+If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
|
-| Event ID: 3007 |
-
- Symbolic name:
+ | Event ID: 3007 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_RTP_FEATURE_RECOVERED
+ |
+MALWAREPROTECTION_RTP_FEATURE_RECOVERED
|
|
- Message:
+Message:
|
-
- Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
-
+ |
+Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
+ |
+Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
- Feature: <Feature>, for example:
@@ -2328,96 +2275,97 @@ Description of the error.
- Reason: The reason Windows Defender real-time protection has restarted a feature.
-
|
|
- User action:
+User action:
|
-
- The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support.
+ |
+The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support.
|
-| Event ID: 5000 |
-
- Symbolic name:
+ | Event ID: 5000 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_RTP_ENABLED
-
+ |
+MALWAREPROTECTION_RTP_ENABLED
+
|
|
- Message:
+Message:
|
-
- Real-time protection is enabled.
-
+ |
+Real-time protection is enabled.
+
|
|
- Description:
+Description:
|
-
- Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.
+ |
+Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.
|
-| Event ID: 5001 |
-
- Symbolic name:
+ | Event ID: 5001 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_RTP_DISABLED
+ |
+MALWAREPROTECTION_RTP_DISABLED
|
|
- Message:
+Message:
|
-
- Real-time protection is disabled.
-
+ |
+Real-time protection is disabled.
+
|
|
- Description:
+Description:
|
-
- Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.
+ |
+Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.
|
-| Event ID: 5004 |
-
- Symbolic name:
+ | Event ID: 5004 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
-
+ |
+MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
+
|
|
- Message:
+Message:
|
-
- The real-time protection configuration changed.
-
+ |
+The real-time protection configuration changed.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender Real-time Protection feature configuration has changed.
+ |
+Windows Defender Real-time Protection feature configuration has changed.
- Feature: <Feature>, for example:
@@ -2429,67 +2377,65 @@ Description of the error.
- Configuration:
-
|
-| Event ID: 5007 |
-
- Symbolic name:
+ | Event ID: 5007 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_CONFIG_CHANGED
-
+ |
+MALWAREPROTECTION_CONFIG_CHANGED
+
|
|
- Message:
+Message:
|
-
- The antimalware platform configuration changed.
+ |
+The antimalware platform configuration changed.
|
|
- Description:
+Description:
|
-
-
- Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
+ |
+Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
- Old value: <Old value number>
Old Windows Defender configuration value.
- New value: <New value number>
New Windows Defender configuration value.
-
|
-| Event ID: 5008 |
-
- Symbolic name:
+ | Event ID: 5008 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_ENGINE_FAILURE
+ |
+MALWAREPROTECTION_ENGINE_FAILURE
|
|
- Message:
+Message:
|
-
- The antimalware engine encountered an error and failed.
+ |
+The antimalware engine encountered an error and failed.
|
|
- Description:
+Description:
|
-
-
- Windows Defender engine has been terminated due to an unexpected error.
+ |
+Windows Defender engine has been terminated due to an unexpected error.
- Failure Type: <Failure type>, for example:
Crash
@@ -2497,15 +2443,14 @@ or Hang
- Exception Code: <Error code>
- Resource: <Resource>
-
|
|
- User action:
+User action:
|
-
- To troubleshoot this event:
+
+To troubleshoot this event:
- Try to restart the service.
- For antimalware, antivirus and spyware, at an elevated command prompt, type net stop msmpsvc, and then type net start msmpsvc to restart the antimalware engine.
- For the Network Inspection System, at an elevated command prompt, type net start nissrv, and then type net start nissrv to restart the Network Inspection System engine by using the NiSSRV.exe file.
@@ -2514,189 +2459,190 @@ or Hang
- If it fails in the same way, look up the error code by accessing the Microsoft Support Site and entering the error number in the Search box, and contact Microsoft Technical Support.
-
|
|
|
- User action:
+User action:
|
-
- The Windows Defender client engine stopped due to an unexpected error.
-To troubleshoot this event:
+ |
+The Windows Defender client engine stopped due to an unexpected error.
+To troubleshoot this event:
- Run the scan again.
- If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
- Contact Microsoft Technical Support.
-
|
-| Event ID: 5009 |
-
- Symbolic name:
+ | Event ID: 5009 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_ANTISPYWARE_ENABLED
-
+ |
+MALWAREPROTECTION_ANTISPYWARE_ENABLED
+
|
|
- Message:
+Message:
|
-
- Scanning for malware and other potentially unwanted software is enabled.
-
+ |
+Scanning for malware and other potentially unwanted software is enabled.
+
|
|
- Description:
+Description:
|
-
- Windows Defender scanning for malware and other potentially unwanted software has been enabled.
+ |
+Windows Defender scanning for malware and other potentially unwanted software has been enabled.
|
-| Event ID: 5010 |
-
- Symbolic name:
+ | Event ID: 5010 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_ANTISPYWARE_DISABLED
-
+ |
+MALWAREPROTECTION_ANTISPYWARE_DISABLED
+
|
|
- Message:
+Message:
|
-
- Scanning for malware and other potentially unwanted software is disabled.
+ |
+Scanning for malware and other potentially unwanted software is disabled.
|
|
- Description:
+Description:
|
-
- Windows Defender scanning for malware and other potentially unwanted software is disabled.
+ |
+Windows Defender scanning for malware and other potentially unwanted software is disabled.
|
-| Event ID: 5011 |
-
- Symbolic name:
+ | Event ID: 5011 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_ANTIVIRUS_ENABLED
+ |
+MALWAREPROTECTION_ANTIVIRUS_ENABLED
|
|
- Message:
+Message:
|
-
- Scanning for viruses is enabled.
+ |
+Scanning for viruses is enabled.
|
|
- Description:
+Description:
|
-
- Windows Defender scanning for viruses has been enabled.
+ |
+Windows Defender scanning for viruses has been enabled.
|
-| Event ID: 5012 |
-
- Symbolic name:
+ | Event ID: 5012 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_ANTIVIRUS_DISABLED
-
+ |
+MALWAREPROTECTION_ANTIVIRUS_DISABLED
+
|
|
- Message:
+Message:
|
-
- Scanning for viruses is disabled.
-
+ |
+Scanning for viruses is disabled.
+
|
|
- Description:
+Description:
|
-
- Windows Defender scanning for viruses is disabled.
+ |
+Windows Defender scanning for viruses is disabled.
|
-| Event ID: 5100 |
-
- Symbolic name:
+ | Event ID: 5100 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_EXPIRATION_WARNING_STATE
-
+ |
+MALWAREPROTECTION_EXPIRATION_WARNING_STATE
+
|
|
- Message:
+Message:
|
-
- The antimalware platform will expire soon.
-
+ |
+The antimalware platform will expire soon.
+
|
|
- Description:
+Description:
|
-
-
- Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
+ |
+Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
- Expiration Reason: The reason Windows Defender will expire.
- Expiration Date: The date Windows Defender will expire.
-
|
-| Event ID: 5101 |
-
- Symbolic name:
+ | Event ID: 5101 |
+
+|
+Symbolic name:
|
-
- MALWAREPROTECTION_DISABLED_EXPIRED_STATE
-
+ |
+MALWAREPROTECTION_DISABLED_EXPIRED_STATE
+
|
|
- Message:
+Message:
|
-
- The antimalware platform is expired.
-
+ |
+The antimalware platform is expired.
+
|
|
- Description::
+Description:
|
-
-
- Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
+ |
+Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
- Expiration Reason:
- Expiration Date:
@@ -2705,7 +2651,6 @@ Result code associated with threat status. Standard HRESULT values.
- Error Description: <Error description>
Description of the error.
-
|
@@ -2719,58 +2664,52 @@ This section provides the following information about Windows Defender Antivirus
- Advice on what to do now
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.
-
+
+
+
-| External error codes |
+Error code: 0x80508007 |
-| Error code |
-Message displayed |
-Possible reason for error |
-What to do now |
+Message |
+
+ERR_MP_NO_MEMORY
+ |
|
- 0x80508007
-
+Possible reason
|
- ERR_MP_NO_MEMORY
-
+This error indicates that you might have run out of memory.
|
+
+
+| Resolution |
- This error indicates that you might have run out of memory.
-
- |
-
-
- Check the available memory on your device.
- Close any unused applications that are running to free up memory on your device.
- Restart the device and run the scan again.
-
|
+| Error code: 0x8050800C |
+
| Message |
+ERR_MP_BAD_INPUT_DATA
+ |
| Possible reason |
- 0x8050800C
+This error indicates that there might be a problem with your security product.
|
-
- ERR_MP_BAD_INPUT_DATA
- |
-
- This error indicates that there might be a problem with your security product.
- |
-
-
+ |
| Resolution |
- Update the definitions. Either:
-- Click the Update definitions button on the Update tab in Windows Defender.
Or,
+ - Click the Update definitions button on the Update tab in Windows Defender. Or,
- Download the latest definitions from the Microsoft Malware Protection Center.
-
Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
+Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
@@ -2778,195 +2717,149 @@ Use the information in these tables to help troubleshoot Windows Defender Antivi
- Restart the device and try again.
-
|
+| Error code: 0x80508020 |
+
| Message |
+ERR_MP_BAD_CONFIGURATION
+
+ |
| Possible reason |
- 0x80508020
- |
-
- ERR_MP_BAD_CONFIGURATION
-
- |
-
- This error indicates that there might be an engine configuration error; commonly, this is related to input
+This error indicates that there might be an engine configuration error; commonly, this is related to input
data that does not allow the engine to function properly.
-
|
+| Error code: 0x805080211
+ |
+
| Message |
+ERR_MP_QUARANTINE_FAILED
+
+ |
| Possible reason |
- 0x805080211
-
- |
-
- ERR_MP_QUARANTINE_FAILED
-
- |
-
- This error indicates that Windows Defender failed to quarantine a threat.
-
+This error indicates that Windows Defender failed to quarantine a threat.
|
+| Error code: 0x80508022
+ |
+
| Message |
+ERR_MP_REBOOT_REQUIRED
+
+ |
| Possible reason |
- 0x80508022
-
- |
-
- ERR_MP_REBOOT_REQUIRED
-
- |
-
- This error indicates that a reboot is required to complete threat removal.
-
+This error indicates that a reboot is required to complete threat removal.
|
-|
- 0x80508023
-
+ |
+0x80508023
+ |
+
| Message |
+ERR_MP_THREAT_NOT_FOUND
+
+ |
| Possible reason |
+
+This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device.
+ |
| Resolution
|
- ERR_MP_THREAT_NOT_FOUND
-
- |
-
- This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device.
-
- |
-
- Run the Microsoft Safety Scanner then update your security software and try again.
-
+Run the Microsoft Safety Scanner then update your security software and try again.
|
-|
- ERR_MP_FULL_SCAN_REQUIRED
-
- |
-
- This error indicates that a full system scan might be required.
-
- |
-
- Run a full system scan.
-
+ | Error code: 0x80508024 |
+
+| Message |
+ERR_MP_FULL_SCAN_REQUIRED
+
+ |
| Possible reason |
+
+This error indicates that a full system scan might be required.
+ |
+
+| Resolution |
+Run a full system scan.
|
+| Error code: 0x80508025
+ |
+
| Message |
+ERR_MP_MANUAL_STEPS_REQUIRED
+
+ |
| Possible reason |
- 0x80508024
-
+This error indicates that manual steps are required to complete threat removal.
+ |
| Resolution |
+Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history.
|
+| Error code: 0x80508026
+ |
+
| Message |
+ERR_MP_REMOVE_NOT_SUPPORTED
+
+ |
| Possible reason |
- 0x80508025
-
- |
-
- ERR_MP_MANUAL_STEPS_REQUIRED
-
- |
-
- This error indicates that manual steps are required to complete threat removal.
-
- |
-
- Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history.
-
+This error indicates that removal inside the container type might not be not supported.
+ |
| Resolution |
+Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
|
+| Error code: 0x80508027
+ |
+
| Message |
+ERR_MP_REMOVE_LOW_MEDIUM_DISABLED
+
+ |
| Possible reason |
- 0x80508026
-
- |
-
- ERR_MP_REMOVE_NOT_SUPPORTED
-
- |
-
- This error indicates that removal inside the container type might not be not supported.
-
- |
-
- Windows Defender is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
-
+This error indicates that removal of low and medium threats might be disabled.
+ |
| Resolution |
+Check the detected threats and resolve them as required.
|
+| Error code: 0x80508029
+ |
+
| Message |
+ERROR_MP_RESCAN_REQUIRED
+
+ |
| Possible reason |
- 0x80508027
-
- |
-
- ERR_MP_REMOVE_LOW_MEDIUM_DISABLED
-
- |
-
- This error indicates that removal of low and medium threats might be disabled.
-
- |
-
- Check the detected threats and resolve them as required.
-
+This error indicates a rescan of the threat is required.
+ |
| Resolution |
+Run a full system scan.
|
+| Error code: 0x80508030
+ |
+
| Message |
+ERROR_MP_CALLISTO_REQUIRED
+
+ |
| Possible reason |
- 0x80508029
-
- |
-
- ERROR_MP_RESCAN_REQUIRED
-
- |
-
- This error indicates a rescan of the threat is required.
-
- |
-
- Run a full system scan.
-
+This error indicates that an offline scan is required.
+ |
| Resolution |
+Run Windows Defender Offline. You can read about how to do this in the Windows Defender Offline
+article.
|
+| Error code: 0x80508031
+ |
+
| Message |
+ERROR_MP_PLATFORM_OUTDATED
+
+ |
| Possible reason |
- 0x80508030
-
- |
-
- ERROR_MP_CALLISTO_REQUIRED
-
- |
-
- This error indicates that an offline scan is required.
-
- |
-
- Run Windows Defender Offline. You can read about how to do this in the Windows Defender Offline
-article.
- |
-
-
-|
- 0x80508031
-
- |
-
- ERROR_MP_PLATFORM_OUTDATED
-
- |
-
- This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform.
-
- |
-
- You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
-
+This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform.
+ |
| Resolution |
+You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
|
@@ -2974,349 +2867,330 @@ article.
The following error codes are used during internal testing of Windows Defender AV.
-
+If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
+
+
+
-| Internal error codes |
+Internal error codes |
-| Error code |
+Error code |
Message displayed |
-Possible reason for error |
-What to do now |
+Possible reason for error and resolution |
|
- 0x80501004
+0x80501004
|
- ERROR_MP_NO_INTERNET_CONN
-
+ERROR_MP_NO_INTERNET_CONN
+
|
- Check your Internet connection, then run the scan again.
- |
-
- Check your Internet connection, then run the scan again.
+Check your Internet connection, then run the scan again.
|
|
- 0x80501000
+0x80501000
|
- ERROR_MP_UI_CONSOLIDATION_BASE
+ERROR_MP_UI_CONSOLIDATION_BASE
|
- This is an internal error. The cause is not clearly defined.
+This is an internal error. The cause is not clearly defined.
|
-
-
-- Update the definitions. Either:
-- Click the Update definitions button on the Update tab in Windows Defender.
Or,
-
-- Download the latest definitions from the Microsoft Malware Protection Center.
-
Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
-
-
-
-- Run a full scan.
-
-- Restart the device and try again.
-
-
+
|
|
- 0x80501001
+0x80501001
|
- ERROR_MP_ACTIONS_FAILED
+ERROR_MP_ACTIONS_FAILED
|
|
- 0x80501002
+0x80501002
|
- ERROR_MP_NOENGINE
+ERROR_MP_NOENGINE
|
|
- 0x80501003
+0x80501003
|
- ERROR_MP_ACTIVE_THREATS
+ERROR_MP_ACTIVE_THREATS
|
|
- 0x805011011
+0x805011011
|
- MP_ERROR_CODE_LUA_CANCELLED
+MP_ERROR_CODE_LUA_CANCELLED
|
|
- 0x80501101
+0x80501101
|
- ERROR_LUA_CANCELLATION
+ERROR_LUA_CANCELLATION
|
|
- 0x80501102
+0x80501102
|
- MP_ERROR_CODE_ALREADY_SHUTDOWN
+MP_ERROR_CODE_ALREADY_SHUTDOWN
|
|
- 0x80501103
+0x80501103
|
- MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING
+MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING
|
|
- 0x80501104
+0x80501104
|
- MP_ERROR_CODE_CANCELLED
+MP_ERROR_CODE_CANCELLED
|
|
- 0x80501105
+0x80501105
|
- MP_ERROR_CODE_NO_TARGETOS
+MP_ERROR_CODE_NO_TARGETOS
|
|
- 0x80501106
+0x80501106
|
- MP_ERROR_CODE_BAD_REGEXP
+MP_ERROR_CODE_BAD_REGEXP
|
|
- 0x80501107
+0x80501107
|
- MP_ERROR_TEST_INDUCED_ERROR
+MP_ERROR_TEST_INDUCED_ERROR
|
|
- 0x80501108
+0x80501108
|
- MP_ERROR_SIG_BACKUP_DISABLED
+MP_ERROR_SIG_BACKUP_DISABLED
|
|
- 0x80508001
+0x80508001
|
- ERR_MP_BAD_INIT_MODULES
+ERR_MP_BAD_INIT_MODULES
|
|
- 0x80508002
+0x80508002
|
- ERR_MP_BAD_DATABASE
+ERR_MP_BAD_DATABASE
|
|
- 0x80508004
+0x80508004
|
- ERR_MP_BAD_UFS
+ERR_MP_BAD_UFS
|
|
- 0x8050800C
+0x8050800C
|
- ERR_MP_BAD_INPUT_DATA
+ERR_MP_BAD_INPUT_DATA
|
|
- 0x8050800D
+0x8050800D
|
- ERR_MP_BAD_GLOBAL_STORAGE
+ERR_MP_BAD_GLOBAL_STORAGE
|
|
- 0x8050800E
+0x8050800E
|
- ERR_MP_OBSOLETE
+ERR_MP_OBSOLETE
|
|
- 0x8050800F
+0x8050800F
|
- ERR_MP_NOT_SUPPORTED
+ERR_MP_NOT_SUPPORTED
|
|
- 0x8050800F
+0x8050800F
0x80508010
-
|
- ERR_MP_NO_MORE_ITEMS
+ERR_MP_NO_MORE_ITEMS
|
|
- 0x80508011
+0x80508011
|
- ERR_MP_DUPLICATE_SCANID
+ERR_MP_DUPLICATE_SCANID
|
|
- 0x80508012
+0x80508012
|
- ERR_MP_BAD_SCANID
+ERR_MP_BAD_SCANID
|
|
- 0x80508013
+0x80508013
|
- ERR_MP_BAD_USERDB_VERSION
+ERR_MP_BAD_USERDB_VERSION
|
|
- 0x80508014
+0x80508014
|
- ERR_MP_RESTORE_FAILED
+ERR_MP_RESTORE_FAILED
|
|
- 0x80508016
+0x80508016
|
- ERR_MP_BAD_ACTION
+ERR_MP_BAD_ACTION
|
|
- 0x80508019
+0x80508019
|
- ERR_MP_NOT_FOUND
+ERR_MP_NOT_FOUND
|
|
- 0x80509001
+0x80509001
|
- ERR_RELO_BAD_EHANDLE
+ERR_RELO_BAD_EHANDLE
|
|
- 0x80509003
+0x80509003
|
- ERR_RELO_KERNEL_NOT_LOADED
+ERR_RELO_KERNEL_NOT_LOADED
|
|
- 0x8050A001
+0x8050A001
|
- ERR_MP_BADDB_OPEN
+ERR_MP_BADDB_OPEN
|
|
- 0x8050A002
+0x8050A002
|
- ERR_MP_BADDB_HEADER
+ERR_MP_BADDB_HEADER
|
|
- 0x8050A003
+0x8050A003
|
- ERR_MP_BADDB_OLDENGINE
+ERR_MP_BADDB_OLDENGINE
|
|
- 0x8050A004
+0x8050A004
|
- ERR_MP_BADDB_CONTENT
+ERR_MP_BADDB_CONTENT
|
|
- 0x8050A005
+0x8050A005
|
- ERR_MP_BADDB_NOTSIGNED
+ERR_MP_BADDB_NOTSIGNED
|
|
- 0x8050801
+0x8050801
|
- ERR_MP_REMOVE_FAILED
+ERR_MP_REMOVE_FAILED
|
- This is an internal error. It might be triggered when malware removal is not successful.
-
+This is an internal error. It might be triggered when malware removal is not successful.
|
|
- 0x80508018
-
+0x80508018
|
- ERR_MP_SCAN_ABORTED
-
+ERR_MP_SCAN_ABORTED
+
|
- This is an internal error. It might have triggered when a scan fails to complete.
-
+This is an internal error. It might have triggered when a scan fails to complete.
|
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 6bef064955..7eba149ae9 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
+ms.author: iawilt
+ms.date: 06/13/2017
---
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index d331e9d39e..942587b25b 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Antivirus
-description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10.
+description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -12,16 +12,17 @@ localizationpriority: medium
author: iaanw
---
-# Windows Defender Antivirus in Windows 10
+# Windows Defender Antivirus in Windows 10 and Windows Server 2016
**Applies to**
- Windows 10
+- Windows Server 2016
Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
-For more important information about running Windows Defender AV on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
+For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md).
Windows Defender AV can be managed with:
- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP)
@@ -57,14 +58,14 @@ See the [In this library](#in-this-library) list at the end of this topic for li
## Minimum system requirements
-Windows Defender has the same hardware requirements as Windows 10. For more information, see:
+Windows Defender AV has the same hardware requirements as Windows 10. For more information, see:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
-Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
+Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
@@ -73,10 +74,13 @@ Functionality, configuration, and management is largely the same when using Wind
Topic | Description
:---|:---
-[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
-[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
-[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
+[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) | The Windows Defender Security Center combines the settings and notifications from the previous Windows Defender AV app and Windows Settings in one easy-to-manage place
+[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) | Windows Defender AV can be used on Windows Server 2016, and features the same configuration and management capabilities as the Windows 10 version - with some added features for automatic exclusions
+[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) | Windows Defender AV operates in different modes depending on whether it detects other AV products or if you are using Windows Defender Advanced Threat Protection
+[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
+[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
+[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
+[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index b3305b6b1c..29fbb9377a 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -1,6 +1,6 @@
---
title: Windows Defender Antivirus on Windows Server 2016
-description: Compare the differences when Windows Defender AV is on a Windows Server SKU versus a Windows 10 endpoint
+description: Enable and configure Windows Defender AV on Windows Server 2016
keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -13,7 +13,7 @@ author: iaanw
---
-# Windows Defender Antivirus on Windows Server
+# Windows Defender Antivirus on Windows Server 2016
**Applies to:**
@@ -36,15 +36,124 @@ author: iaanw
Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
-See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
-
While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
- In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
+This topic includes the following instructions for setting up and running Windows Defender AV on a server platform:
+
+- [Enable the interface](#BKMK_UsingDef)
+
+- [Verify Windows Defender AV is running](#BKMK_DefRun)
+
+- [Update antimalware definitions](#BKMK_UpdateDef)
+
+- [Submit Samples](#BKMK_DefSamples)
+
+- [Configure automatic exclusions](#BKMK_DefExclusions)
+
+
+## Enable the interface
+By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs.
+
+You can enable or disable the interface by using the **Add Roles and Features Wizard** or PowerShellCmdlets, as described in the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic.
+
+The following PowerShell cmdlet will enable the interface:
+
+```PowerShell
+Install-WindowsFeature -Name Windows-Defender-GUI
+```
+
+The following cmdlet will disable the interface:
+
+```PS
+Uninstall-WindowsFeature -Name Windows-Server-Antimalware
+```
+
+> [!TIP]
+> Event messages for the antimalware engine included with Windows Defender AV can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
+
+
+
+## Verify Windows Defender is running
+To verify that Windows Defender AV is running on the server, run the following command from a command prompt:
+
+```DOS
+sc query Windefend
+```
+
+The `sc query` command returns information about the Windows Defender service. If Windows Defender is running, the `STATE` value displays `RUNNING`.
+
+
+## Update antimalware definitions
+In order to get updated antimalware definitions, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Windows Defender AV definitions are approved for the computers you manage.
+
+By default, Windows Update does not download and install updates automatically on Windows Server 2016. You can change this configuration by using one of the following methods:
+
+- **Windows Update** in Control Panel.
+
+ - **Install updates automatically** results in all updates being automatically installed, including Windows Defender definition updates.
+
+ - **Download updates but let me choose whether to install them** allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
+
+- **Group Policy**. You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates**
+
+- The **AUOptions** registry key. The following two values allow Windows Update to automatically download and install definition updates.
+
+ - **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender definition updates.
+
+ - **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install definition updates automatically, but other updates are not automatically installed.
+
+To ensure that protection from malware is maintained, we recommend that you enable the following services:
+
+- Windows Defender Network Inspection service
+
+- Windows Error Reporting service
+
+- Windows Update service
+
+The following table lists the services for Windows Defender and the dependent services.
+
+|Service Name|File Location|Description|
+|--------|---------|--------|
+|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.|
+|Windows Defender Network Inspection Service (Wdnissvc)|C:\Program Files\Windows Defender\NisSrv.exe|This service is invoked when Windows Defender Antivirus encounters a trigger to load it.|
+|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.|
+|Windows Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Firewall service enabled.|
+|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates|
+
+
+
+
+## Submit Samples
+Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware definitions.
+
+We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
+
+### Enable automatic sample submission
+
+- To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
+
+ - **0** Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI.
+
+ - **1** Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files.
+
+ - **2** Never send. The Windows Defender service does not prompt and does not send any files.
+
+ - **3** Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation.
+
+
+## Configure automatic exclusions
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender AV on Server 2016.
+
+See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information.
+
+
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
\ No newline at end of file
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+
+
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index e32f2b9d8d..81691de5b0 100644
--- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -27,14 +27,25 @@ Turn on the following advanced features to get better protected from potentially
## Block file
This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
-If your organization satisfies this condition, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
+If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
-## Office 365 Security Center integration
+## Show user details
+When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
+- Dashboard
+- Alert queue
+- Machine details page
+
+For more information, see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
+
+## Skype for Business integration
+Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
+
+## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
-
+## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
@@ -43,3 +54,5 @@ When you enable this feature, you'll be able to incorporate data from Office 365
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 494eb84889..99d2f5b51f 100644
--- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -71,3 +71,5 @@ This section lists various issues that you may encounter when using email notifi
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
index aca26a9b12..fa66ca420f 100644
--- a/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
@@ -34,5 +34,7 @@ During the onboarding process, a wizard takes you through the general settings o
## Related topics
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
-- [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png b/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png
index b2380e0236..bc0275c622 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png and b/windows/threat-protection/windows-defender-atp/images/atp-alert-status.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png b/windows/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png
new file mode 100644
index 0000000000..8c3b8b4deb
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-create-suppression-rule.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png b/windows/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png
new file mode 100644
index 0000000000..b330f34ac1
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-new-suppression-rule.png differ
diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index 9dd0f7d8b2..7ad9b687cb 100644
--- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -56,7 +56,7 @@ Windows Defender ATP lets you create suppression rules so you can limit the aler
Suppression rules can be created from an existing alert.
-When a suppression rule is created, it will take effect from this point onwards. It will not affect existing alerts already in the queue, but new alerts triggered after the rule is created will not be displayed.
+When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
There are two contexts for a suppression rule that you can choose from:
@@ -65,20 +65,38 @@ There are two contexts for a suppression rule that you can choose from:
The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule:
-**Context** | **Definition** |**Example scenarios**
----|---|---
-**Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed.
All other alerts on that machine will not be suppressed. | - A security researcher is investigating a malicious script that has been used to attack other machines in your organization.
- A developer regularly creates PowerShell scripts for their team.
-**Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | - A benign administrative tool is used by everyone in your organization.
+| **Context** | **Definition** | **Example scenarios** |
+|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed.
All other alerts on that machine will not be suppressed. | - A security researcher is investigating a malicious script that has been used to attack other machines in your organization.
- A developer regularly creates PowerShell scripts for their team.
|
+| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. | - A benign administrative tool is used by everyone in your organization.
|
-**Suppress an alert and create a suppression rule:**
+### Suppress an alert and create a new suppression rule:
+Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert.
1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
-2. Scroll down to the **Supression rules** section.
-3. Choose the context for suppressing the alert.
-> [!NOTE]
-> You cannot create a custom or blank suppression rule. You must start from an existing alert.
+2. Scroll down to the **Create a supression rule** section.
+
+ 
+
+3. Choose the context for suppressing the alert.
+
+ 
+
+ > [!NOTE]
+ > You cannot create a custom or blank suppression rule. You must start from an existing alert.
+4. Specify the conditions for when the rule is applied:
+ - Alert title
+ - Indicator of compromise (IOC)
+ - Suppression conditions
+
+ > [!NOTE]
+ > The SHA1 of the alert cannot be modified
+5. Specify the action and scope on the alert. You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. You can also specify to suppress the alert on the machine only or the whole organization.
+
+6. Click **Save and close**.
+
**See the list of suppression rules:**
diff --git a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index 8ae02a81bb..1c4dcb2648 100644
--- a/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -29,3 +29,5 @@ Turn on the preview experience setting to be among the first to try upcoming fea
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)