| MDM CSP setting path/name | -GP english name | -GP english category path | -GP name | -GP ADMX file name | -
|---|---|---|---|---|
| ActiveXControls/ApprovedInstallationSites | -Approved Installation Sites for ActiveX Controls | -Windows Components/ActiveX Installer Service | -ApprovedActiveXInstallSites | -ActiveXInstallService.admx | -
| AppVirtualization/AllowAppVClient | -Enable App-V Client | -System/App-V | -EnableAppV | -appv.admx | -
| AppVirtualization/AllowDynamicVirtualization | -Enable Dynamic Virtualization | -System/App-V/Virtualization | -Virtualization_JITVEnable | -appv.admx | -
| AppVirtualization/AllowPackageCleanup | -Enable automatic cleanup of unused appv packages | -System/App-V/Package Management | -PackageManagement_AutoCleanupEnable | -appv.admx | -
| AppVirtualization/AllowPackageScripts | -Enable Package Scripts | -System/App-V/Scripting | -Scripting_Enable_Package_Scripts | -appv.admx | -
| AppVirtualization/AllowPublishingRefreshUX | -Enable Publishing Refresh UX | -System/App-V/Publishing | -Enable_Publishing_Refresh_UX | -appv.admx | -
| AppVirtualization/AllowReportingServer | -Reporting Server | -System/App-V/Reporting | -Reporting_Server_Policy | -appv.admx | -
| AppVirtualization/AllowRoamingFileExclusions | -Roaming File Exclusions | -System/App-V/Integration | -Integration_Roaming_File_Exclusions | -appv.admx | -
| AppVirtualization/AllowRoamingRegistryExclusions | -Roaming Registry Exclusions | -System/App-V/Integration | -Integration_Roaming_Registry_Exclusions | -appv.admx | -
| AppVirtualization/AllowStreamingAutoload | -Specify what to load in background (aka AutoLoad) | -System/App-V/Streaming | -Steaming_Autoload | -appv.admx | -
| AppVirtualization/ClientCoexistenceAllowMigrationmode | -Enable Migration Mode | -System/App-V/Client Coexistence | -Client_Coexistence_Enable_Migration_mode | -appv.admx | -
| AppVirtualization/IntegrationAllowRootGlobal | -Integration Root User | -System/App-V/Integration | -Integration_Root_User | -appv.admx | -
| AppVirtualization/IntegrationAllowRootUser | -Integration Root Global | -System/App-V/Integration | -Integration_Root_Global | -appv.admx | -
| AppVirtualization/PublishingAllowServer1 | -Publishing Server 1 Settings | -System/App-V/Publishing | -Publishing_Server1_Policy | -appv.admx | -
| AppVirtualization/PublishingAllowServer2 | -Publishing Server 2 Settings | -System/App-V/Publishing | -Publishing_Server2_Policy | -appv.admx | -
| AppVirtualization/PublishingAllowServer3 | -Publishing Server 3 Settings | -System/App-V/Publishing | -Publishing_Server3_Policy | -appv.admx | -
| AppVirtualization/PublishingAllowServer4 | -Publishing Server 4 Settings | -System/App-V/Publishing | -Publishing_Server4_Policy | -appv.admx | -
| AppVirtualization/PublishingAllowServer5 | -Publishing Server 5 Settings | -System/App-V/Publishing | -Publishing_Server5_Policy | -appv.admx | -
| AppVirtualization/StreamingAllowCertificateFilterForClient_SSL | -Certificate Filter For Client SSL | -System/App-V/Streaming | -Streaming_Certificate_Filter_For_Client_SSL | -appv.admx | -
| AppVirtualization/StreamingAllowHighCostLaunch | -Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection | -System/App-V/Streaming | -Streaming_Allow_High_Cost_Launch | -appv.admx | -
| AppVirtualization/StreamingAllowLocationProvider | -Location Provider | -System/App-V/Streaming | -Streaming_Location_Provider | -appv.admx | -
| AppVirtualization/StreamingAllowPackageInstallationRoot | -Package Installation Root | -System/App-V/Streaming | -Streaming_Package_Installation_Root | -appv.admx | -
| AppVirtualization/StreamingAllowPackageSourceRoot | -Package Source Root | -System/App-V/Streaming | -Streaming_Package_Source_Root | -appv.admx | -
| AppVirtualization/StreamingAllowReestablishmentInterval | -Reestablishment Interval | -System/App-V/Streaming | -Streaming_Reestablishment_Interval | -appv.admx | -
| AppVirtualization/StreamingAllowReestablishmentRetries | -Reestablishment Retries | -System/App-V/Streaming | -Streaming_Reestablishment_Retries | -appv.admx | -
| AppVirtualization/StreamingSharedContentStoreMode | -Shared Content Store (SCS) mode | -System/App-V/Streaming | -Streaming_Shared_Content_Store_Mode | -appv.admx | -
| AppVirtualization/StreamingSupportBranchCache | -Enable Support for BranchCache | -System/App-V/Streaming | -Streaming_Support_Branch_Cache | -appv.admx | -
| AppVirtualization/StreamingVerifyCertificateRevocationList | -Verify certificate revocation list | -System/App-V/Streaming | -Streaming_Verify_Certificate_Revocation_List | -appv.admx | -
| AppVirtualization/VirtualComponentsAllowList | -Virtual Component Process Allow List | -System/App-V/Virtualization | -Virtualization_JITVAllowList | -appv.admx | -
| AttachmentManager/DoNotPreserveZoneInformation | -Do not preserve zone information in file attachments | -Windows Components/Attachment Manager | -AM_MarkZoneOnSavedAtttachments | -AttachmentManager.admx | -
| AttachmentManager/HideZoneInfoMechanism | -Hide mechanisms to remove zone information | -Windows Components/Attachment Manager | -AM_RemoveZoneInfo | -AttachmentManager.admx | -
| AttachmentManager/NotifyAntivirusPrograms | -Notify antivirus programs when opening attachments | -Windows Components/Attachment Manager | -AM_CallIOfficeAntiVirus | -AttachmentManager.admx | -
| Autoplay/DisallowAutoplayForNonVolumeDevices | -Disallow Autoplay for non-volume devices | -Windows Components/AutoPlay Policies | -NoAutoplayfornonVolume | -AutoPlay.admx | -
| Autoplay/SetDefaultAutoRunBehavior | -Set the default behavior for AutoRun | -Windows Components/AutoPlay Policies | -NoAutorun | -AutoPlay.admx | -
| Autoplay/TurnOffAutoPlay | -Turn off Autoplay | -Windows Components/AutoPlay Policies | -Autorun | -AutoPlay.admx | -
| Connectivity/HardenedUNCPaths | -Hardened UNC Paths | -Network/Network Provider | -Pol_HardenedPaths | -networkprovider.admx | -
| CredentialProviders/AllowPINLogon | -Turn on convenience PIN sign-in | -System/Logon | -AllowDomainPINLogon | -credentialproviders.admx | -
| CredentialProviders/BlockPicturePassword | -Turn off picture password sign-in | -System/Logon | -BlockDomainPicturePassword | -credentialproviders.admx | -
| CredentialsUI/DisablePasswordReveal | -Do not display the password reveal button | -Windows Components/Credential User Interface | -DisablePasswordReveal | -credui.admx | -
| CredentialsUI/EnumerateAdministrators | -Enumerate administrator accounts on elevation | -Windows Components/Credential User Interface | -EnumerateAdministrators | -credui.admx | -
| DataUsage/SetCost3G | -Set 3G Cost | -Network/WWAN Service/WWAN Media Cost | -SetCost3G | -wwansvc.admx | -
| DataUsage/SetCost4G | -Set 4G Cost | -Network/WWAN Service/WWAN Media Cost | -SetCost4G | -wwansvc.admx | -
| Desktop/PreventUserRedirectionOfProfileFolders | -- | - | - | desktop.admx | -
| DeviceInstallation/PreventInstallationOfMatchingDeviceIDs | -Prevent installation of devices that match any of these device IDs | -System/Device Installation/Device Installation Restrictions | -DeviceInstall_IDs_Deny | -deviceinstallation.admx | -
| DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses | -Prevent installation of devices using drivers that match these device setup classes | -System/Device Installation/Device Installation Restrictions | -DeviceInstall_Classes_Deny | -deviceinstallation.admx | -
| DeviceLock/PreventLockScreenSlideShow | -- | - | - | ControlPanelDisplay.admx | -
| ErrorReporting/CustomizeConsentSettings | -Customize consent settings | -Windows Components/Windows Error Reporting/Consent | -WerConsentCustomize_2 | -ErrorReporting.admx | -
| ErrorReporting/DisableWindowsErrorReporting | -Disable Windows Error Reporting | -Windows Components/Windows Error Reporting | -WerDisable_2 | -ErrorReporting.admx | -
| ErrorReporting/DisplayErrorNotification | -Display Error Notification | -Windows Components/Windows Error Reporting | -PCH_ShowUI | -ErrorReporting.admx | -
| ErrorReporting/DoNotSendAdditionalData | -Do not send additional data | -Windows Components/Windows Error Reporting | -WerNoSecondLevelData_2 | -ErrorReporting.admx | -
| ErrorReporting/PreventCriticalErrorDisplay | -Prevent display of the user interface for critical errors | -Windows Components/Windows Error Reporting | -WerDoNotShowUI | -ErrorReporting.admx | -
| EventLogService/ControlEventLogBehavior | -Control Event Log behavior when the log file reaches its maximum size | -Windows Components/Event Log Service/Application | -Channel_Log_Retention_1 | -eventlog.admx | -
| EventLogService/SpecifyMaximumFileSizeApplicationLog | -Specify the maximum log file size (KB) | -Windows Components/Event Log Service/Application | -Channel_LogMaxSize_1 | -eventlog.admx | -
| EventLogService/SpecifyMaximumFileSizeSecurityLog | -Specify the maximum log file size (KB) | -Windows Components/Event Log Service/Security | -Channel_LogMaxSize_2 | -eventlog.admx | -
| EventLogService/SpecifyMaximumFileSizeSystemLog | -Specify the maximum log file size (KB) | -Windows Components/Event Log Service/System | -Channel_LogMaxSize_4 | -eventlog.admx | -
| InternetExplorer/AddSearchProvider | -Add a specific list of search providers to the user's list of search providers | -Windows Components/Internet Explorer | -AddSearchProvider | -inetres.admx | -
| InternetExplorer/AllowActiveXFiltering | -Turn on ActiveX Filtering | -Windows Components/Internet Explorer | -TurnOnActiveXFiltering | -inetres.admx | -
| InternetExplorer/AllowAddOnList | -Add-on List | -Windows Components/Internet Explorer/Security Features/Add-on Management | -AddonManagement_AddOnList | -inetres.admx | -
| InternetExplorer/AllowEnhancedProtectedMode | -Turn on Enhanced Protected Mode | -Windows Components/Internet Explorer/Internet Control Panel/Advanced Page | -Advanced_EnableEnhancedProtectedMode | -inetres.admx | -
| InternetExplorer/AllowEnterpriseModeFromToolsMenu | -Let users turn on and use Enterprise Mode from the Tools menu | -Windows Components/Internet Explorer | -EnterpriseModeEnable | -inetres.admx | -
| InternetExplorer/AllowEnterpriseModeSiteList | -Use the Enterprise Mode IE website list | -Windows Components/Internet Explorer | -EnterpriseModeSiteList | -inetres.admx | -
| InternetExplorer/AllowInternetExplorer7PolicyList | -Use Policy List of Internet Explorer 7 sites | -CompatView_UsePolicyList | -inetres.admx | -|
| InternetExplorer/AllowInternetExplorerStandardsMode | -Turn on Internet Explorer Standards Mode for local intranet | -Windows Components/Internet Explorer/Compatibility View | -CompatView_IntranetSites | -inetres.admx | -
| InternetExplorer/AllowInternetZoneTemplate | -Internet Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyInternetZoneTemplate | -inetres.admx | -
| InternetExplorer/AllowIntranetZoneTemplate | -Intranet Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyIntranetZoneTemplate | -inetres.admx | -
| InternetExplorer/AllowLocalMachineZoneTemplate | -Local Machine Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyLocalMachineZoneTemplate | -inetres.admx | -
| InternetExplorer/AllowLockedDownInternetZoneTemplate | -Locked-Down Internet Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyInternetZoneLockdownTemplate | -inetres.admx | -
| InternetExplorer/AllowLockedDownIntranetZoneTemplate | -Locked-Down Intranet Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyIntranetZoneLockdownTemplate | -inetres.admx | -
| InternetExplorer/AllowLockedDownLocalMachineZoneTemplate | -Locked-Down Local Machine Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyLocalMachineZoneLockdownTemplate | -inetres.admx | -
| InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate | -Locked-Down Restricted Sites Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyRestrictedSitesZoneLockdownTemplate | -inetres.admx | -
| InternetExplorer/AllowOneWordEntry | -Go to an intranet site for a one-word entry in the Address bar | -Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing | -UseIntranetSiteForOneWordEntry | -inetres.admx | -
| InternetExplorer/AllowSiteToZoneAssignmentList | -Site to Zone Assignment List | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_Zonemaps | -inetres.admx | -
| InternetExplorer/AllowSuggestedSites | -Turn on Suggested Sites | -Windows Components/Internet Explorer | -EnableSuggestedSites | -inetres.admx | -
| InternetExplorer/AllowTrustedSitesZoneTemplate | -Trusted Sites Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyTrustedSitesZoneTemplate | -inetres.admx | -
| InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate | -Locked-Down Trusted Sites Zone Template | -IZ_PolicyTrustedSitesZoneLockdownTemplate | -inetres.admx | -|
| InternetExplorer/AllowsRestrictedSitesZoneTemplate | -Restricted Sites Zone Template | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_PolicyRestrictedSitesZoneTemplate | -inetres.admx | -
| InternetExplorer/DisableAdobeFlash | -Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects | -Windows Components/Internet Explorer/Security Features/Add-on Management | -DisableFlashInIE | -inetres.admx | -
| InternetExplorer/DisableBypassOfSmartScreenWarnings | -- | - | - | inetres.admx | -
| InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles | -- | - | - | inetres.admx | -
| InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation | -Prevent participation in the Customer Experience Improvement Program | -Windows Components/Internet Explorer | -SQM_DisableCEIP | -inetres.admx | -
| InternetExplorer/DisableEnclosureDownloading | -Prevent downloading of enclosures | -Windows Components/RSS Feeds | -Disable_Downloading_of_Enclosures | -inetres.admx | -
| InternetExplorer/DisableEncryptionSupport | -Turn off encryption support | -Windows Components/Internet Explorer/Internet Control Panel/Advanced Page | -Advanced_SetWinInetProtocols | -inetres.admx | -
| InternetExplorer/DisableFirstRunWizard | -Prevent running First Run wizard | -Windows Components/Internet Explorer | -NoFirstRunCustomise | -inetres.admx | -
| InternetExplorer/DisableFlipAheadFeature | -Turn off the flip ahead with page prediction feature | -Windows Components/Internet Explorer/Internet Control Panel/Advanced Page | -Advanced_DisableFlipAhead | -inetres.admx | -
| InternetExplorer/DisableHomePageChange | -Disable changing home page settings | -Windows Components/Internet Explorer | -RestrictHomePage | -inetres.admx | -
| InternetExplorer/DisableProxyChange | -- | - | - | inetres.admx | -
| InternetExplorer/DisableSearchProviderChange | -Prevent changing the default search provider | -Windows Components/Internet Explorer | -NoSearchProvider | -inetres.admx | -
| InternetExplorer/DisableSecondaryHomePageChange | -Disable changing secondary home page settings | -Windows Components/Internet Explorer | -SecondaryHomePages | -inetres.admx | -
| InternetExplorer/DisableUpdateCheck | -- | - | - | inetres.admx | -
| InternetExplorer/DoNotAllowUsersToAddSites | -- | - | - | inetres.admx | -
| InternetExplorer/DoNotAllowUsersToChangePolicies | -- | - | - | inetres.admx | -
| InternetExplorer/DoNotBlockOutdatedActiveXControls | -Turn off blocking of outdated ActiveX controls for Internet Explorer | -Windows Components/Internet Explorer/Security Features/Add-on Management | -VerMgmtDisable | -inetres.admx | -
| InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains | -Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains | -Windows Components/Internet Explorer/Security Features/Add-on Management | -VerMgmtDomainAllowlist | -inetres.admx | -
| InternetExplorer/IncludeAllLocalSites | -Intranet Sites: Include all local (intranet) sites not listed in other zones | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_IncludeUnspecifiedLocalSites | -inetres.admx | -
| InternetExplorer/IncludeAllNetworkPaths | -Intranet Sites: Include all network paths (UNCs) | -Windows Components/Internet Explorer/Internet Control Panel/Security Page | -IZ_UNCAsIntranet | -inetres.admx | -
| InternetExplorer/InternetZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyNotificationBarActiveXURLaction_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyNotificationBarDownloadURLaction_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyFontDownload_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyZoneElevationURLaction_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_Policy_AllowScriptlets_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_Policy_Phishing_1 | -inetres.admx | -
| InternetExplorer/InternetZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyUserdataPersistence_1 | -inetres.admx | -
| InternetExplorer/InternetZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_1 | -inetres.admx | -
| InternetExplorer/InternetZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone | -IZ_PolicyNavigateSubframesAcrossDomains_1 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyNotificationBarActiveXURLaction_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyNotificationBarDownloadURLaction_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyFontDownload_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyZoneElevationURLaction_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_Policy_AllowScriptlets_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_Policy_Phishing_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyUserdataPersistence_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_3 | -inetres.admx | -
| InternetExplorer/IntranetZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone | -IZ_PolicyNavigateSubframesAcrossDomains_3 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyNotificationBarActiveXURLaction_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyNotificationBarDownloadURLaction_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyFontDownload_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyZoneElevationURLaction_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_Policy_AllowScriptlets_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_Policy_Phishing_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyUserdataPersistence_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_9 | -inetres.admx | -
| InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone | -IZ_PolicyNavigateSubframesAcrossDomains_9 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyNotificationBarActiveXURLaction_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyNotificationBarDownloadURLaction_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyFontDownload_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyZoneElevationURLaction_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_Policy_AllowScriptlets_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_Policy_Phishing_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyUserdataPersistence_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_2 | -inetres.admx | -
| InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone | -IZ_PolicyNavigateSubframesAcrossDomains_2 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyNotificationBarActiveXURLaction_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyNotificationBarDownloadURLaction_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyFontDownload_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyZoneElevationURLaction_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_Policy_AllowScriptlets_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_Policy_Phishing_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyUserdataPersistence_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_4 | -inetres.admx | -
| InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone | -IZ_PolicyNavigateSubframesAcrossDomains_4 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyNotificationBarActiveXURLaction_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyNotificationBarDownloadURLaction_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyFontDownload_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyZoneElevationURLaction_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_Policy_AllowScriptlets_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_Policy_Phishing_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyUserdataPersistence_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_10 | -inetres.admx | -
| InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone | -IZ_PolicyNavigateSubframesAcrossDomains_10 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyNotificationBarActiveXURLaction_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyNotificationBarDownloadURLaction_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyFontDownload_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyZoneElevationURLaction_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_Policy_AllowScriptlets_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_Policy_Phishing_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyUserdataPersistence_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_8 | -inetres.admx | -
| InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone | -IZ_PolicyNavigateSubframesAcrossDomains_8 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyNotificationBarActiveXURLaction_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyNotificationBarDownloadURLaction_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyFontDownload_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyZoneElevationURLaction_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_Policy_AllowScriptlets_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_Policy_Phishing_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyUserdataPersistence_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_6 | -inetres.admx | -
| InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone | -IZ_PolicyNavigateSubframesAcrossDomains_6 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyNotificationBarActiveXURLaction_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyNotificationBarDownloadURLaction_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyFontDownload_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyZoneElevationURLaction_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_Policy_AllowScriptlets_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_Policy_Phishing_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyUserdataPersistence_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_7 | -inetres.admx | -
| InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone | -IZ_PolicyNavigateSubframesAcrossDomains_7 | -inetres.admx | -
| InternetExplorer/SearchProviderList | -Restrict search providers to a specific list | -Windows Components/Internet Explorer | -SpecificSearchProvider | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowAccessToDataSources | -Access data sources across domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyAccessDataSourcesAcrossDomains_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls | -Automatic prompting for ActiveX controls | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyNotificationBarActiveXURLaction_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads | -Automatic prompting for file downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyNotificationBarDownloadURLaction_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowFontDownloads | -Allow font downloads | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyFontDownload_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites | -Web sites in less privileged Web content zones can navigate into this zone | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyZoneElevationURLaction_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents | -Run .NET Framework-reliant components not signed with Authenticode | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyUnsignedFrameworkComponentsURLaction_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowScriptlets | -Allow scriptlets | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_Policy_AllowScriptlets_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowSmartScreenIE | -Turn on SmartScreen Filter scan | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_Policy_Phishing_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneAllowUserDataPersistence | -Userdata persistence | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyUserdataPersistence_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls | -Initialize and script ActiveX controls not marked as safe | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyScriptActiveXNotMarkedSafe_5 | -inetres.admx | -
| InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames | -Navigate windows and frames across different domains | -Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone | -IZ_PolicyNavigateSubframesAcrossDomains_5 | -inetres.admx | -
| Kerberos/AllowForestSearchOrder | -- | ForestSearch | -Kerberos.admx | -|
| Kerberos/KerberosClientSupportsClaimsCompoundArmor | -Kerberos client support for claims, compound authentication and Kerberos armoring | -System/Kerberos | -EnableCbacAndArmor | -Kerberos.admx | -
| Kerberos/RequireKerberosArmoring | -Fail authentication requests when Kerberos armoring is not available | -System/Kerberos | -ClientRequireFast | -Kerberos.admx | -
| Kerberos/RequireStrictKDCValidation | -Require strict KDC validation | -System/Kerberos | -ValidateKDC | -Kerberos.admx | -
| Kerberos/SetMaximumContextTokenSize | -Set maximum Kerberos SSPI context token buffer size | -System/Kerberos | -MaxTokenSize | -Kerberos.admx | -
| Power/AllowStandbyWhenSleepingPluggedIn | -Allow standby states (S1-S3) when sleeping (plugged in) | -System/Power Management/Sleep Settings | -AllowStandbyStatesAC_2 | -power.admx | -
| Power/RequirePasswordWhenComputerWakesOnBattery | -Require a password when a computer wakes (on battery) | -System/Power Management/Sleep Settings | -DCPromptForPasswordOnResume_2 | -power.admx | -
| Power/RequirePasswordWhenComputerWakesPluggedIn | -Require a password when a computer wakes (plugged in) | -System/Power Management/Sleep Settings | -ACPromptForPasswordOnResume_2 | -power.admx | -
| Printers/PointAndPrintRestrictions | -Point and Print Restrictions | -Printers | -PointAndPrint_Restrictions_Win7 | -Printing.admx | -
| Printers/PointAndPrintRestrictions_User | -Point and Print Restrictions | -PointAndPrint_Restrictions | -Printing.admx | -|
| Printers/PublishPrinters | -Allow printers to be published | -Printers | -PublishPrinters | -Printing2.admx | -
| RemoteAssistance/CustomizeWarningMessages | -Customize warning messages | -System/Remote Assistance | -RA_Options | -remoteassistance.admx | -
| RemoteAssistance/SessionLogging | -Turn on session logging | -System/Remote Assistance | -RA_Logging | -remoteassistance.admx | -
| RemoteAssistance/SolicitedRemoteAssistance | -Configure Solicited Remote Assistance | -System/Remote Assistance | -RA_Solicit | -remoteassistance.admx | -
| RemoteAssistance/UnsolicitedRemoteAssistance | -Configure Offer Remote Assistance | -RA_Unsolicit | -remoteassistance.admx | -|
| RemoteDesktopServices/AllowUsersToConnectRemotely | -Allow users to connect remotely by using Remote Desktop Services | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections | -TS_DISABLE_CONNECTIONS | -terminalserver.admx | -
| RemoteDesktopServices/ClientConnectionEncryptionLevel | -Set client connection encryption level | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security | -TS_ENCRYPTION_POLICY | -terminalserver.admx | -
| RemoteDesktopServices/DoNotAllowDriveRedirection | -Do not allow drive redirection | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection | -TS_CLIENT_DRIVE_M | -terminalserver.admx | -
| RemoteDesktopServices/DoNotAllowPasswordSaving | -Do not allow passwords to be saved | -Windows Components/Remote Desktop Services/Remote Desktop Connection Client | -TS_CLIENT_DISABLE_PASSWORD_SAVING_2 | -terminalserver.admx | -
| RemoteDesktopServices/PromptForPasswordUponConnection | -Always prompt for password upon connection | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security | -TS_PASSWORD | -terminalserver.admx | -
| RemoteDesktopServices/RequireSecureRPCCommunication | -Require secure RPC communication | -Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security | -TS_RPC_ENCRYPTION | -terminalserver.admx | -
| RemoteProcedureCall/RPCEndpointMapperClientAuthentication | -Enable RPC Endpoint Mapper Client Authentication | -System/Remote Procedure Call | -RpcEnableAuthEpResolution | -rpc.admx | -
| RemoteProcedureCall/RestrictUnauthenticatedRPCClients | -Restrict Unauthenticated RPC clients | -System/Remote Procedure Call | -RpcRestrictRemoteClients | -rpc.admx | -
| Storage/EnhancedStorageDevices | -Do not allow Windows to activate Enhanced Storage devices | -System/Enhanced Storage Access | -TCGSecurityActivationDisabled | -enhancedstorage.admx | -
| System/BootStartDriverInitialization | -Boot-Start Driver Initialization Policy | -System/Early Launch Antimalware | -POL_DriverLoadPolicy_Name | -earlylauncham.admx | -
| System/DisableSystemRestore | -Turn off System Restore | -System/System Restore | -SR_DisableSR | -systemrestore.admx | -
| WindowsLogon/DisableLockScreenAppNotifications | -Turn off app notifications on the lock screen | -System/Logon | -DisableLockScreenAppNotifications | -logon.admx | -
| WindowsLogon/DontDisplayNetworkSelectionUI | -Do not display network selection UI | -System/Logon | -DontDisplayNetworkSelectionUI | -logon.admx | -
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
- -If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. - -If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.
- -Note: Wild card characters cannot be used when specifying the host URLs. -
- -**AppVirtualization/AllowAppVClient** - -This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
- -**AppVirtualization/AllowDynamicVirtualization** - -Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
- -**AppVirtualization/AllowPackageCleanup** - -N/A
- -**AppVirtualization/AllowPackageScripts** - -Enables scripts defined in the package manifest of configuration files that should run.
- -**AppVirtualization/AllowPublishingRefreshUX** - -Enables a UX to display to the user when a publishing refresh is performed on the client.
- -**AppVirtualization/AllowReportingServer** - -Reporting Server URL: Displays the URL of reporting server.
- -Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. - - Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. - - Repeat reporting for every (days): The periodical interval in days for sending the reporting data. - - Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.
- -Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. -
- -**AppVirtualization/AllowRoamingFileExclusions** - -Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
- -**AppVirtualization/AllowRoamingRegistryExclusions** - -Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
- -**AppVirtualization/AllowStreamingAutoload** - -Specifies how new packages should be loaded automatically by App-V on a specific computer.
- -**AppVirtualization/ClientCoexistenceAllowMigrationmode** - -Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
- -**AppVirtualization/IntegrationAllowRootGlobal** - -Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
- -**AppVirtualization/IntegrationAllowRootUser** - -Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
- -**AppVirtualization/PublishingAllowServer1** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/PublishingAllowServer2** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/PublishingAllowServer3** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/PublishingAllowServer4** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/PublishingAllowServer5** - -Publishing Server Display Name: Displays the name of publishing server. - - Publishing Server URL: Displays the URL of publishing server. - - Global Publishing Refresh: Enables global publishing refresh (Boolean). - - Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - - Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - - Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - User Publishing Refresh: Enables user publishing refresh (Boolean). - - User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - - User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - - User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). -
- -**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** - -Specifies the path to a valid certificate in the certificate store.
- -**AppVirtualization/StreamingAllowHighCostLaunch** - -This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
- -**AppVirtualization/StreamingAllowLocationProvider** - -Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
- -**AppVirtualization/StreamingAllowPackageInstallationRoot** - -Specifies directory where all new applications and updates will be installed.
- -**AppVirtualization/StreamingAllowPackageSourceRoot** - -Overrides source location for downloading package content.
- -**AppVirtualization/StreamingAllowReestablishmentInterval** - -Specifies the number of seconds between attempts to reestablish a dropped session.
- -**AppVirtualization/StreamingAllowReestablishmentRetries** - -Specifies the number of times to retry a dropped session.
- -**AppVirtualization/StreamingSharedContentStoreMode** - -Specifies that streamed package contents will be not be saved to the local hard disk.
- -**AppVirtualization/StreamingSupportBranchCache** - -If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
- -**AppVirtualization/StreamingVerifyCertificateRevocationList** - -Verifies Server certificate revocation status before streaming using HTTPS.
- -**AppVirtualization/VirtualComponentsAllowList** - -Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.
- -**AttachmentManager/DoNotPreserveZoneInformation** - -This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
- -If you enable this policy setting, Windows does not mark file attachments with their zone information.
- -If you disable this policy setting, Windows marks file attachments with their zone information.
- -If you do not configure this policy setting, Windows marks file attachments with their zone information.
- -**AttachmentManager/HideZoneInfoMechanism** - -This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
- -If you enable this policy setting, Windows hides the check box and Unblock button.
- -If you disable this policy setting, Windows shows the check box and Unblock button.
- -If you do not configure this policy setting, Windows hides the check box and Unblock button.
- -**AttachmentManager/NotifyAntivirusPrograms** - -This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
- -If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
- -If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
- -If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.
- -**Autoplay/DisallowAutoplayForNonVolumeDevices** - -This policy setting disallows AutoPlay for MTP devices like cameras or phones.
- -If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.
- -If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
- -**Autoplay/SetDefaultAutoRunBehavior** - -This policy setting sets the default behavior for Autorun commands.
- -Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.
- -Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.
- -This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.
- -If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:
- -a) Completely disable autorun commands, or - b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.
- -If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
- -**Autoplay/TurnOffAutoPlay** - -This policy setting allows you to turn off the Autoplay feature.
- -Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.
- -Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.
- -Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.
- -If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.
- -This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.
- -If you disable or do not configure this policy setting, AutoPlay is enabled.
- -Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
- -**Connectivity/HardenedUNCPaths** - -This policy setting configures secure access to UNC paths.
- -If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. -
- -**CredentialProviders/AllowPINLogon** - -This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.
- -If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
- -If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
- -Note that the user's domain password will be cached in the system vault when using this feature.
- -**CredentialProviders/BlockPicturePassword** - -This policy setting allows you to control whether a domain user can sign in using a picture password.
- -If you enable this policy setting, a domain user can't set up or sign in with a picture password.
- -If you disable or don't configure this policy setting, a domain user can set up and use a picture password.
- -Note that the user's domain password will be cached in the system vault when using this feature.
- -**CredentialsUI/DisablePasswordReveal** - -This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
- -If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.
- -If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.
- -By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.
- -The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.
- -**CredentialsUI/EnumerateAdministrators** - -This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
- -If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.
- -If you disable this policy setting, users will always be required to type a user name and password to elevate.
- -**DataUsage/SetCost3G** - -This policy setting configures the cost of 3G connections on the local machine.
- -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:
- -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
- -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- -- Variable: This connection is costed on a per byte basis.
- -If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. -
- -**DataUsage/SetCost4G** - -This policy setting configures the cost of 4G connections on the local machine.
- -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:
- -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
- -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
- -- Variable: This connection is costed on a per byte basis.
- -If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. -
- -**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** - -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
- -If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
- -If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
- -**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** - -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. - -If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
- -If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
- -**ErrorReporting/CustomizeConsentSettings** - -This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
- -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
- -- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
- -- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
- -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
- -- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
- -- 4 (Send all data): Any data requested by Microsoft is sent automatically.
- -If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
- -**ErrorReporting/DisableWindowsErrorReporting** - -This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
- -If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
- -If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
- -**ErrorReporting/DisplayErrorNotification** - -This policy setting controls whether users are shown an error dialog box that lets them report an error.
- -If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.
- -If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.
- -If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.
- -See also the Configure Error Reporting policy setting.
- -**ErrorReporting/DoNotSendAdditionalData** - -This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
- -If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
- -If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
- -**ErrorReporting/PreventCriticalErrorDisplay** - -This policy setting prevents the display of the user interface for critical errors.
- -If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.
- -If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.
- -**EventLogService/ControlEventLogBehavior** - -This policy setting controls Event Log behavior when the log file reaches its maximum size.
- -If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
- -If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
- -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
- -**EventLogService/SpecifyMaximumFileSizeApplicationLog** - -This policy setting specifies the maximum size of the log file in kilobytes.
- -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
- -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
- -**EventLogService/SpecifyMaximumFileSizeSecurityLog** - -This policy setting specifies the maximum size of the log file in kilobytes.
- -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
- -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
- -**EventLogService/SpecifyMaximumFileSizeSystemLog** - -This policy setting specifies the maximum size of the log file in kilobytes.
- -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
- -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
- -**InternetExplorer/AddSearchProvider** - -This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
- -If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
- -If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.
- -**InternetExplorer/AllowActiveXFiltering** - -This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
- -If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.
- -If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
- -**InternetExplorer/AllowAddOnList** - -This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.
- -This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.
- -If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:
- -Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
- -Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.
- -If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.
- -**InternetExplorer/AllowEnhancedProtectedMode** - -Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
- -If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.
- -If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.
- -If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
- -**InternetExplorer/AllowEnterpriseModeFromToolsMenu** - -This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
- -If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.
- -If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.
- -**InternetExplorer/AllowEnterpriseModeSiteList** - -This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.
- -If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.
- -If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.
- -**InternetExplorer/AllowInternetExplorer7PolicyList ** - -This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.
- -If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.
- -If you disable or do not configure this policy setting, the user can add and remove sites from the list.
- -**InternetExplorer/AllowInternetExplorerStandardsMode** - -This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
- -If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.
- -If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.
- -If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.
- -**InternetExplorer/AllowInternetZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowIntranetZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLocalMachineZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLockedDownInternetZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLockedDownIntranetZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowOneWordEntry** - -This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.
- -If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.
- -If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.
- -**InternetExplorer/AllowSiteToZoneAssignmentList** - -This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
- -Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
- -If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
- -Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
- -Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
- -If you disable or do not configure this policy, users may choose their own site-to-zone assignments.
- -**InternetExplorer/AllowSuggestedSites** - -This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
- -If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.
- -If you disable this policy setting, the entry points and functionality associated with this feature are turned off.
- -If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.
- -**InternetExplorer/AllowTrustedSitesZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/AllowsRestrictedSitesZoneTemplate** - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
- -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.
- -If you disable this template policy setting, no security level is configured.
- -If you do not configure this template policy setting, no security level is configured.
- -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.
- -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.
- -**InternetExplorer/DisableAdobeFlash** - -This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
- -If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.
- -If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.
- -Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
- -**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** - -This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).
- -If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
- -If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.
- -If you do not configure this policy setting, the user can choose to participate in the CEIP.
- -**InternetExplorer/DisableEnclosureDownloading** - -This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
- -If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.
- -If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
- -**InternetExplorer/DisableEncryptionSupport** - -This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
- -If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.
- -If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.
- -Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
- -**InternetExplorer/DisableFirstRunWizard** - -This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
- -If you enable this policy setting, you must make one of the following choices: - Skip the First Run wizard, and go directly to the user's home page. - Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.
- -Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
- -If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.
- -**InternetExplorer/DisableFlipAheadFeature** - -This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
- -Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.
- -If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.
- -If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
- -If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.
- -**InternetExplorer/DisableHomePageChange** - -The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
- -If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.
- -If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.
- -**InternetExplorer/DisableSearchProviderChange** - -This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
- -If you enable this policy setting, the user cannot change the default search provider.
- -If you disable or do not configure this policy setting, the user can change the default search provider.
- -**InternetExplorer/DisableSecondaryHomePageChange** - -Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.
- -If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.
- -If you disable or do not configure this policy setting, the user can add secondary home pages.
- -Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.
- -**InternetExplorer/DoNotBlockOutdatedActiveXControls** - -This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
- -If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.
- -If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.
- -For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
- -**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** - -This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
- -If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
- -1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" -2. "hostname". For example, if you want to include http://example, use "example" -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"
- -If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.
- -For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
- -**InternetExplorer/IncludeAllLocalSites** - -This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
- -If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.
- -If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).
- -If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.
- -**InternetExplorer/IncludeAllNetworkPaths** - -This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
- -If you enable this policy setting, all network paths are mapped into the Intranet Zone.
- -If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).
- -If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.
- -**InternetExplorer/InternetZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/InternetZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/InternetZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
- -**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
- -**InternetExplorer/InternetZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/InternetZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/InternetZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/InternetZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/IntranetZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
- -**InternetExplorer/IntranetZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.
- -**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
- -**InternetExplorer/IntranetZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/IntranetZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/IntranetZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
- -**InternetExplorer/LocalMachineZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LocalMachineZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
- -**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownInternetZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
- -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
- -**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.
- -**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.
- -**InternetExplorer/RestrictedSitesZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.
- -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.
- -**InternetExplorer/SearchProviderList** - -This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
- -If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.
- -If you disable or do not configure this policy setting, the user can configure his or her list of search providers.
- -**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
- -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.
- -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - -This policy setting manages whether users will be automatically prompted for ActiveX control installations.
- -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.
- -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
- -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
- -If you enable this setting, users will receive a file download dialog for automatic download attempts.
- -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.
- -**InternetExplorer/TrustedSitesZoneAllowFontDownloads** - -This policy setting allows you to manage whether pages of the zone may download HTML fonts.
- -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.
- -If you disable this policy setting, HTML fonts are prevented from downloading.
- -If you do not configure this policy setting, HTML fonts can be downloaded automatically.
- -**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
- -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.
- -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.
- -If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.
- -**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
- -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
- -If you disable this policy setting, Internet Explorer will not execute unsigned managed components.
- -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.
- -**InternetExplorer/TrustedSitesZoneAllowScriptlets** - -This policy setting allows you to manage whether the user can run scriptlets.
- -If you enable this policy setting, the user can run scriptlets.
- -If you disable this policy setting, the user cannot run scriptlets.
- -If you do not configure this policy setting, the user can enable or disable scriptlets.
- -**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
- -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.
- -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.
- -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.
- -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
- -**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
- -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.
- -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** - -This policy setting allows you to manage ActiveX controls not marked as safe.
- -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
- -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.
- -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
- -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.
- -**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
- -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.
- -If you disable this policy setting, users cannot open windows and frames to access applications from different domains.
- -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.
- -**Kerberos/AllowForestSearchOrder** - -This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
- -If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
- -If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
- -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** - -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
- -If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. -
- -**Kerberos/RequireKerberosArmoring** - -This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
- -Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
- -If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
- -Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
- -If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. -
- -**Kerberos/RequireStrictKDCValidation** - -This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
- -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
- -If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. -
- -**Kerberos/SetMaximumContextTokenSize** - -This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. - -The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
- -If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
- -If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
- -Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
- - - -**Power/AllowStandbyWhenSleepingPluggedIn** - -This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
- -If you enable this policy setting, Windows uses standby states to put the computer in a sleep state.
- -If you disable or do not configure this policy setting, the only sleep state a computer may enter is hibernate.
- -**Power/RequirePasswordWhenComputerWakesOnBattery** - -This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
- -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
- -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
- -**Power/RequirePasswordWhenComputerWakesPluggedIn** - -This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
- -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.
- -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.
- -**Printers/PointAndPrintRestrictions** - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
- -If you enable this policy setting: - -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. - -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
- -If you do not configure this policy setting: - -Windows Vista client computers can point and print to any server. - -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
- -If you disable this policy setting: - -Windows Vista client computers can create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
- -**Printers/PointAndPrintRestrictions_User** - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
- -If you enable this policy setting: - -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. - -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
- -If you do not configure this policy setting: - -Windows Vista client computers can point and print to any server. - -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
- -If you disable this policy setting: - -Windows Vista client computers can create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. - -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. - -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. - -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).
- -**Printers/PublishPrinters** - -Determines whether the computer's shared printers can be published in Active Directory.
- -If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.
- -If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.
- -Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
- -**RemoteAssistance/CustomizeWarningMessages** - -This policy setting lets you customize warning messages.
- -The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
- -The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.
- -If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.
- -If you disable this policy setting, the user sees the default warning message.
- -If you do not configure this policy setting, the user sees the default warning message.
- -**RemoteAssistance/SessionLogging** - -This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
- -If you enable this policy setting, log files are generated.
- -If you disable this policy setting, log files are not generated.
- -If you do not configure this setting, application-based settings are used.
- -**RemoteAssistance/SolicitedRemoteAssistance** - -This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
- -If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
- -If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
- -If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
- -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
- -The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
- -The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
- -If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
- -**RemoteAssistance/UnsolicitedRemoteAssistance** - -This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
- -If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
- -If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
- -If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
- -If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
- -To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
- -If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.
- -Windows Vista and later
- -Enable the Remote Assistance exception for the domain profile. The exception must contain: -Port 135:TCP -%WINDIR%\System32\msra.exe -%WINDIR%\System32\raserver.exe
- -Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
- -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -%WINDIR%\System32\Sessmgr.exe
- -For computers running Windows Server 2003 with Service Pack 1 (SP1)
- -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -Allow Remote Desktop Exception
- -**RemoteDesktopServices/AllowUsersToConnectRemotely** - -This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
- -If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.
- -If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.
- -If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.
- -Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.
- -You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. -
- -**RemoteDesktopServices/ClientConnectionEncryptionLevel** - -Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
- -If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
- -* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.
- -* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.
- -* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.
- -If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.
- -Important
- -FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. -
- -**RemoteDesktopServices/DoNotAllowDriveRedirection** - -This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
- -By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format
If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.
- -If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.
- -If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. -
- -**RemoteDesktopServices/DoNotAllowPasswordSaving** - -Controls whether passwords can be saved on this computer from Remote Desktop Connection.
- -If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.
- -If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.
- -**RemoteDesktopServices/PromptForPasswordUponConnection** - -This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
- -You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
- -By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.
- -If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.
- -If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.
- -If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. -
- -**RemoteDesktopServices/RequireSecureRPCCommunication** - -Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
- -You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.
- -If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.
- -If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.
- -If the status is set to Not Configured, unsecured communication is allowed.
- -Note: The RPC interface is used for administering and configuring Remote Desktop Services.
- -**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** - -This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
- -If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
- -If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
- -If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
- -Note: This policy will not be applied until the system is rebooted.
- -**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** - -This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
- -This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.
- -If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.
- -If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.
- -If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.
- --- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.
- --- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.
- --- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.
- -Note: This policy setting will not be applied until the system is rebooted.
- -**Storage/EnhancedStorageDevices** - -This policy setting configures whether or not Windows will activate an Enhanced Storage device.
- -If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
- -If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
- -**System/BootStartDriverInitialization** - -N/A
- -**System/DisableSystemRestore** - -Allows you to disable System Restore.
- -This policy setting allows you to turn off System Restore.
- -System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
- -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
- -If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
- -Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
- -**WindowsLogon/DisableLockScreenAppNotifications** - -This policy setting allows you to prevent app notifications from appearing on the lock screen.
- -If you enable this policy setting, no app notifications are displayed on the lock screen.
- -If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
- -**WindowsLogon/DontDisplayNetworkSelectionUI** - -This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
- -If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
- -If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
- - - - - - - diff --git a/windows/client-management/mdm/policy-configuration-service-provider-abovesku.md b/windows/client-management/mdm/policy-configuration-service-provider-abovesku.md deleted file mode 100644 index 0ecf600ba2..0000000000 --- a/windows/client-management/mdm/policy-configuration-service-provider-abovesku.md +++ /dev/null @@ -1,21324 +0,0 @@ ---- -title: Policy CSP -description: Policy CSP -ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: nickbrower ---- - -# Policy CSP - -The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. - -The Policy configuration service provider has the following sub-categories: - -- Policy/Config/*AreaName* – Handles the policy configuration request from the server. -- Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device. - -The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. - - - - -**./Vendor/MSFT/Policy** -The root node for the Policy configuration service provider. - -
Supported operation is Get. - -**Policy/Config** -
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. - -
Supported operation is Get. - -**Policy/Config/****_AreaName_** -
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. - -
Supported operations are Add, Get, and Delete. - -**Policy/Config/****_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. - -
The following list shows some tips to help you when configuring policies: - -- Separate substring values by the Unicode &\#xF000; in the XML file. - -> [!NOTE] -> A query from a different caller could provide a different value as each caller could have different values for a named policy. - -- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. -- Supported operations are Add, Get, Delete, and Replace. -- Value type is string. - -**Policy/Result** -
Groups the evaluated policies from all providers that can be configured. - -
Supported operation is Get. - -**Policy/Result/****_AreaName_** -
The area group that can be configured by a single technology independent of the providers. - -
Supported operation is Get. - -**Policy/Result/****_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. - -
Supported operation is Get. - -**Policy/ConfigOperations** -
Added in Windows 10, version 1703. The root node for grouping different configuration operations. - -
Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall** -
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Centennial apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Centennial apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Centennial app policies, see [Win32 and Centennial app policy configuration](win32-and-centennial-app-policy-configuration.md). - -> [!NOTE] -> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx). - -
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}`. - -
Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_** -
Added in Windows 10, version 1703. Specifies the name of the Win32 or Centennial app associated with the ADMX file. - -
Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy** -
Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app policy is to be imported. - -
Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. - -
Supported operations are Add and Get. Does not support Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference** -
Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app preference is to be imported. - -
Supported operations are Add, Get, and Delete. - -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. - -
Supported operations are Add and Get. Does not support Delete. - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether to allow Action Center notifications above the device lock screen. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**AboveLock/AllowCortanaAboveLock** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**AboveLock/AllowToasts** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether to allow toast notifications above the device lock screen. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Accounts/AllowAddingNonMicrosoftAccountsManually** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether user is allowed to add non-MSA email accounts. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - -> [!NOTE] -> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md). - - - - - - - -**Accounts/AllowMicrosoftAccountConnection** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Accounts/AllowMicrosoftAccountSignInAssistant** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. - -
The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Manual start. - - - - - - - -**Accounts/DomainNamesForEmailSync** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies a list of the domains that are allowed to sync email on the device. - -
The data type is a string. - -
The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov". - - - - - - - -**ActiveXControls/ApprovedInstallationSites** - - -This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. - -If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. - -If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. - -Note: Wild card characters cannot be used when specifying the host URLs. - - - - - - -ADMX Info: -- GP english name: *Approved Installation Sites for ActiveX Controls* -- GP name: *ApprovedActiveXInstallSites* -- GP path: *Windows Components/ActiveX Installer Service* -- GP ADMX file name: *ActiveXInstallService.admx* - - - - -**AppVirtualization/AllowAppVClient** - - -This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. - - - - - -ADMX Info: -- GP english name: *Enable App-V Client* -- GP name: *EnableAppV* -- GP path: *System/App-V* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowDynamicVirtualization** - - -Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. - - - - - -ADMX Info: -- GP english name: *Enable Dynamic Virtualization* -- GP name: *Virtualization_JITVEnable* -- GP path: *System/App-V/Virtualization* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowPackageCleanup** - - -Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. - - - - - -ADMX Info: -- GP english name: *Enable automatic cleanup of unused appv packages* -- GP name: *PackageManagement_AutoCleanupEnable* -- GP path: *System/App-V/Package Management* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowPackageScripts** - - -Enables scripts defined in the package manifest of configuration files that should run. - - - - - -ADMX Info: -- GP english name: *Enable Package Scripts* -- GP name: *Scripting_Enable_Package_Scripts* -- GP path: *System/App-V/Scripting* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowPublishingRefreshUX** - - -Enables a UX to display to the user when a publishing refresh is performed on the client. - - - - - -ADMX Info: -- GP english name: *Enable Publishing Refresh UX* -- GP name: *Enable_Publishing_Refresh_UX* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowReportingServer** - - -Reporting Server URL: Displays the URL of reporting server. - -Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. - -Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. - -Repeat reporting for every (days): The periodical interval in days for sending the reporting data. - -Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again. - -Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. - - - - - - -ADMX Info: -- GP english name: *Reporting Server* -- GP name: *Reporting_Server_Policy* -- GP path: *System/App-V/Reporting* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowRoamingFileExclusions** - - -Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. - - - - - -ADMX Info: -- GP english name: *Roaming File Exclusions* -- GP name: *Integration_Roaming_File_Exclusions* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowRoamingRegistryExclusions** - - -Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. - - - - - -ADMX Info: -- GP english name: *Roaming Registry Exclusions* -- GP name: *Integration_Roaming_Registry_Exclusions* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/AllowStreamingAutoload** - - -Specifies how new packages should be loaded automatically by App-V on a specific computer. - - - - - -ADMX Info: -- GP english name: *Specify what to load in background (aka AutoLoad)* -- GP name: *Steaming_Autoload* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/ClientCoexistenceAllowMigrationmode** - - -Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. - - - - - -ADMX Info: -- GP english name: *Enable Migration Mode* -- GP name: *Client_Coexistence_Enable_Migration_mode* -- GP path: *System/App-V/Client Coexistence* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/IntegrationAllowRootGlobal** - - -Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. - - - - - -ADMX Info: -- GP english name: *Integration Root User* -- GP name: *Integration_Root_User* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/IntegrationAllowRootUser** - - -Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. - - - - - -ADMX Info: -- GP english name: *Integration Root Global* -- GP name: *Integration_Root_Global* -- GP path: *System/App-V/Integration* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer1** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - - - - -ADMX Info: -- GP english name: *Publishing Server 1 Settings* -- GP name: *Publishing_Server1_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer2** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - - - - -ADMX Info: -- GP english name: *Publishing Server 2 Settings* -- GP name: *Publishing_Server2_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer3** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - - - - -ADMX Info: -- GP english name: *Publishing Server 3 Settings* -- GP name: *Publishing_Server3_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer4** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - - - - -ADMX Info: -- GP english name: *Publishing Server 4 Settings* -- GP name: *Publishing_Server4_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/PublishingAllowServer5** - - -Publishing Server Display Name: Displays the name of publishing server. - -Publishing Server URL: Displays the URL of publishing server. - -Global Publishing Refresh: Enables global publishing refresh (Boolean). - -Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). - -Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. - -Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - -User Publishing Refresh: Enables user publishing refresh (Boolean). - -User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). - -User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. - -User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). - - - - - - -ADMX Info: -- GP english name: *Publishing Server 5 Settings* -- GP name: *Publishing_Server5_Policy* -- GP path: *System/App-V/Publishing* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** - - -Specifies the path to a valid certificate in the certificate store. - - - - - -ADMX Info: -- GP english name: *Certificate Filter For Client SSL* -- GP name: *Streaming_Certificate_Filter_For_Client_SSL* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowHighCostLaunch** - - -This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). - - - - - -ADMX Info: -- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* -- GP name: *Streaming_Allow_High_Cost_Launch* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowLocationProvider** - - -Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. - - - - - -ADMX Info: -- GP english name: *Location Provider* -- GP name: *Streaming_Location_Provider* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowPackageInstallationRoot** - - -Specifies directory where all new applications and updates will be installed. - - - - - -ADMX Info: -- GP english name: *Package Installation Root* -- GP name: *Streaming_Package_Installation_Root* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowPackageSourceRoot** - - -Overrides source location for downloading package content. - - - - - -ADMX Info: -- GP english name: *Package Source Root* -- GP name: *Streaming_Package_Source_Root* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowReestablishmentInterval** - - -Specifies the number of seconds between attempts to reestablish a dropped session. - - - - - -ADMX Info: -- GP english name: *Reestablishment Interval* -- GP name: *Streaming_Reestablishment_Interval* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingAllowReestablishmentRetries** - - -Specifies the number of times to retry a dropped session. - - - - - -ADMX Info: -- GP english name: *Reestablishment Retries* -- GP name: *Streaming_Reestablishment_Retries* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingSharedContentStoreMode** - - -Specifies that streamed package contents will be not be saved to the local hard disk. - - - - - -ADMX Info: -- GP english name: *Shared Content Store (SCS) mode* -- GP name: *Streaming_Shared_Content_Store_Mode* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingSupportBranchCache** - - -If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache - - - - - -ADMX Info: -- GP english name: *Enable Support for BranchCache* -- GP name: *Streaming_Support_Branch_Cache* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/StreamingVerifyCertificateRevocationList** - - -Verifies Server certificate revocation status before streaming using HTTPS. - - - - - -ADMX Info: -- GP english name: *Verify certificate revocation list* -- GP name: *Streaming_Verify_Certificate_Revocation_List* -- GP path: *System/App-V/Streaming* -- GP ADMX file name: *appv.admx* - - - - -**AppVirtualization/VirtualComponentsAllowList** - - -Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. - - - - - -ADMX Info: -- GP english name: *Virtual Component Process Allow List* -- GP name: *Virtualization_JITVAllowList* -- GP path: *System/App-V/Virtualization* -- GP ADMX file name: *appv.admx* - - - - -**ApplicationDefaults/DefaultAssociationsConfiguration** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. - -
If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. - -
To create create the SyncML, follow these steps: -
Here is an example output from the dism default association export command:
-
-``` syntax
-
-
Here is the SyncMl example:
-
-``` syntax
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether non Windows Store apps are allowed. - -
The following list shows the supported values: - -- 0 – Explicit deny. -- 1 – Explicit allow unlock. -- 65535 (default) – Not configured. - -
Most restricted value is 0. - - - - - - - -**ApplicationManagement/AllowAppStoreAutoUpdate** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether automatic update of apps from Windows Store are allowed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**ApplicationManagement/AllowDeveloperUnlock** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether developer unlock is allowed. - -
The following list shows the supported values: - -- 0 – Explicit deny. -- 1 – Explicit allow unlock. -- 65535 (default) – Not configured. - -
Most restricted value is 0. - - - - - - - -**ApplicationManagement/AllowGameDVR** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether DVR and broadcasting is allowed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**ApplicationManagement/AllowSharedUserAppData** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether multiple users of the same app can share data. - -
The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - -
Most restricted value is 0. - - - - - - - -**ApplicationManagement/AllowStore** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether app store is allowed at the device. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**ApplicationManagement/ApplicationRestrictions** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md). - -> [!NOTE] -> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps. -> -> Here's additional guidance for the upgrade process: -> -> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). -> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it. -> - In the SyncML, you must use lowercase product ID. -> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. -> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents). - - -
An application that is running may not be immediately terminated. - -
Value type is chr. - -
Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies. - - - - - - - -**ApplicationManagement/DisableStoreOriginatedApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded. - -
The following list shows the supported values: - -- 0 (default) – Enable launch of apps. -- 1 – Disable launch of apps. - - - - - - - -**ApplicationManagement/RequirePrivateStoreOnly** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows disabling of the retail catalog and only enables the Private store. - -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result. - - -
The following list shows the supported values: - -- 0 (default) – Allow both public and Private store. -- 1 – Only Private store is enabled. - -
This is a per user policy. - -
Most restricted value is 1. - - - - - - - -**ApplicationManagement/RestrictAppDataToSystemVolume** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether application data is restricted to the system drive. - -
The following list shows the supported values: - -- 0 (default) – Not restricted. -- 1 – Restricted. - -
Most restricted value is 1. - - - - - - - -**ApplicationManagement/RestrictAppToSystemVolume** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether the installation of applications is restricted to the system drive. - -
The following list shows the supported values: - -- 0 (default) – Not restricted. -- 1 – Restricted. - -
Most restricted value is 1. - - - - - - - -**AttachmentManager/DoNotPreserveZoneInformation** - - -This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. - -If you enable this policy setting, Windows does not mark file attachments with their zone information. - -If you disable this policy setting, Windows marks file attachments with their zone information. - -If you do not configure this policy setting, Windows marks file attachments with their zone information. - - - - - -ADMX Info: -- GP english name: *Do not preserve zone information in file attachments* -- GP name: *AM_MarkZoneOnSavedAtttachments* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* - - - - -**AttachmentManager/HideZoneInfoMechanism** - - -This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. - -If you enable this policy setting, Windows hides the check box and Unblock button. - -If you disable this policy setting, Windows shows the check box and Unblock button. - -If you do not configure this policy setting, Windows hides the check box and Unblock button. - - - - - -ADMX Info: -- GP english name: *Hide mechanisms to remove zone information* -- GP name: *AM_RemoveZoneInfo* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* - - - - -**AttachmentManager/NotifyAntivirusPrograms** - - -This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. - -If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. - -If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. - -If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. - - - - - -ADMX Info: -- GP english name: *Notify antivirus programs when opening attachments* -- GP name: *AM_CallIOfficeAntiVirus* -- GP path: *Windows Components/Attachment Manager* -- GP ADMX file name: *AttachmentManager.admx* - - - - -**Authentication/AllowEAPCertSSO** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. - -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result. - - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Authentication/AllowFastReconnect** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows EAP Fast Reconnect from being attempted for EAP Method TLS. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Authentication/AllowSecondaryAuthenticationDevice** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 – Allowed. - -
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD). - - - - - - - -**Autoplay/DisallowAutoplayForNonVolumeDevices** - - -This policy setting disallows AutoPlay for MTP devices like cameras or phones. - -If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. - -If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. - - - - - -ADMX Info: -- GP english name: *Disallow Autoplay for non-volume devices* -- GP name: *NoAutoplayfornonVolume* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* - - - - -**Autoplay/SetDefaultAutoRunBehavior** - - -This policy setting sets the default behavior for Autorun commands. - -Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. - -Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. - -This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. - -If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: - -a) Completely disable autorun commands, or -b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. - -If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. - - - - - -ADMX Info: -- GP english name: *Set the default behavior for AutoRun* -- GP name: *NoAutorun* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* - - - - -**Autoplay/TurnOffAutoPlay** - - -This policy setting allows you to turn off the Autoplay feature. - -Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. - -Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. - -Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. - -If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. - -This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. - -If you disable or do not configure this policy setting, AutoPlay is enabled. - -Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. - - - - - -ADMX Info: -- GP english name: *Turn off Autoplay* -- GP name: *Autorun* -- GP path: *Windows Components/AutoPlay Policies* -- GP ADMX file name: *AutoPlay.admx* - - - - -**Bitlocker/EncryptionMethod** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies the BitLocker Drive Encryption method and cipher strength. - -
The following list shows the supported values: - -- 3- AES 128-bit -- 4- AES 256 -- 6 -XTS 128 -- 7 - XTS 256 - - - - - - - -**Bluetooth/AllowAdvertising** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether the device can send out Bluetooth advertisements. - -
The following list shows the supported values: - -- 0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral. -- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral. - -
If this is not set or it is deleted, the default value of 1 (Allow) is used. - -
Most restricted value is 0. - - - - - - - -**Bluetooth/AllowDiscoverableMode** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether other Bluetooth-enabled devices can discover the device. - -
The following list shows the supported values: - -- 0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device. -- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it. - -
If this is not set or it is deleted, the default value of 1 (Allow) is used. - -
Most restricted value is 0. - - - - - - - -**Bluetooth/AllowPrepairing** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default)– Allowed. - - - - - - - -**Bluetooth/LocalDeviceName** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Sets the local Bluetooth device name. - -
If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. - -
If this policy is not set or it is deleted, the default local radio name is used. - - - - - - - -**Bluetooth/ServicesAllowedList** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. - -
The default value is an empty string. - - - - - - - -**Browser/AllowAddressBarDropdown** - - -
Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. - -> [!NOTE] -> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting. - -
The following list shows the supported values: - -- 0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type." -- 1 (default) – Allowed. Address bar drop-down is enabled. - -
Most restricted value is 0. - - - - - - - -**Browser/AllowAutofill** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether autofill on websites is allowed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - -
To verify AllowAutofill is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Save form entries** is greyed out. - - - - - - - -**Browser/AllowBrowser** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether the browser is allowed on the device. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - -
When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator. - - - - - - - -**Browser/AllowCookies** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether cookies are allowed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - -
To verify AllowCookies is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Cookies** is greyed out. - - - - - - - -**Browser/AllowDeveloperTools** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Browser/AllowDoNotTrack** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether Do Not Track headers are allowed. - -
The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - -
Most restricted value is 1. - -
To verify AllowDoNotTrack is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Send Do Not Track requests** is greyed out. - - - - - - - -**Browser/AllowExtensions** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Browser/AllowFlash** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Browser/AllowFlashClickToRun** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. - -
The following list shows the supported values: - -- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge. -- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. - - - - - - - -**Browser/AllowInPrivate** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether InPrivate browsing is allowed on corporate networks. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Browser/AllowMicrosoftCompatibilityList** - - -
Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. -By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". - -
If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation. - -
The following list shows the supported values: - -- 0 – Not enabled. -- 1 (default) – Enabled. - -
Most restricted value is 0. - - - - - - - -**Browser/AllowPasswordManager** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether saving and managing passwords locally on the device is allowed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - -
To verify AllowPasswordManager is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. - - - - - - - -**Browser/AllowPopups** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether pop-up blocker is allowed or enabled. - -
The following list shows the supported values: - -- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed. -- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked. - -
Most restricted value is 1. - -
To verify AllowPopups is set to 0 (not allowed): - -1. Open Microsoft Edge. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Block pop-ups** is greyed out. - - - - - - - -**Browser/AllowSearchEngineCustomization** - - -
Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine. - -
If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Browser/AllowSearchSuggestionsinAddressBar** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether search suggestions are allowed in the address bar. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Browser/AllowSmartScreen** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether Windows Defender SmartScreen is allowed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 1. - -
To verify AllowSmartScreen is set to 0 (not allowed): - -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. - - - - - - - -**Browser/ClearBrowsingDataOnExit** - - -
Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. - -
The following list shows the supported values: - -- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings. -- 1 – Browsing data is cleared on exit. - -
Most restricted value is 1. - -
To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): - -1. Open Microsoft Edge and browse to websites. -2. Close the Microsoft Edge window. -3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. - - - - - - - -**Browser/ConfigureAdditionalSearchEngines** - - -
Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices. - -
If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). -Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine. - -
If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine. - -> [!IMPORTANT] -> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled. - -
The following list shows the supported values: - -- 0 (default) – Additional search engines are not allowed. -- 1 – Additional search engines are allowed. - -
Most restricted value is 0. - - - - - - - -**Browser/DisableLockdownOfStartPages** - - -
Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect. - -> [!NOTE] -> This policy has no effect when the Browser/HomePages policy is not configured. - -> [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). - -
The following list shows the supported values: - -- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages. -- 1 – Disable lockdown of the Start pages and allow users to modify them. - -
Most restricted value is 0. - - - - - - - -**Browser/EnterpriseModeSiteList** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows the user to specify an URL of an enterprise site list. - -
The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL location of the enterprise site list. - - - - - - - -**Browser/EnterpriseSiteListServiceUrl** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time. - -
The data type is a string. - -
The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”. - - - - - - - -**Browser/HomePages** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>" - -
Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users. - -
Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL. - -> [!NOTE] -> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. - - - - - - - - -**Browser/PreventAccessToAboutFlagsInMicrosoftEdge** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. - -
The following list shows the supported values: - -- 0 (default) – Users can access the about:flags page in Microsoft Edge. -- 1 – Users can't access the about:flags page in Microsoft Edge. - - - - - - - -**Browser/PreventFirstRunPage** - - -
Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. - -
The following list shows the supported values: - -- 0 (default) – Employees see the First Run webpage. -- 1 – Employees don't see the First Run webpage. - -
Most restricted value is 1. - - - - - - - -**Browser/PreventLiveTileDataCollection** - - -
Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. - -
The following list shows the supported values: - -- 0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge. -- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge. - -
Most restricted value is 1. - - - - - - - -**Browser/PreventSmartScreenPromptOverride** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. - -
The following list shows the supported values: - -- 0 (default) – Off. -- 1 – On. - -
Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site. - - - - - - - -**Browser/PreventSmartScreenPromptOverrideForFiles** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. - -
The following list shows the supported values: - -- 0 (default) – Off. -- 1 – On. - - - - - - - -**Browser/PreventUsingLocalHostIPAddressForWebRTC** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an
user’s localhost IP address while making phone calls using WebRTC. - -
The following list shows the supported values: - -- 0 (default) – The localhost IP address is shown. -- 1 – The localhost IP address is hidden. - - - - - - - -**Browser/SendIntranetTraffictoInternetExplorer** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether to send intranet traffic over to Internet Explorer. - -
The following list shows the supported values: - -- 0 (default) – Intranet traffic is sent to Internet Explorer. -- 1 – Intranet traffic is sent to Microsoft Edge. - -
Most restricted value is 0. - - - - - - - -**Browser/SetDefaultSearchEngine** - - -
Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. - -
You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING. - -
If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. - -> [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). - -
The following list shows the supported values: - -- 0 (default) - The default search engine is set to the one specified in App settings. -- 1 - Allows you to configure the default search engine for your employees. - -
Most restricted value is 0. - - - - - - - -**Browser/ShowMessageWhenOpeningSitesInInternetExplorer** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. - -
The following list shows the supported values: - -- 0 (default) – Interstitial pages are not shown. -- 1 – Interstitial pages are shown. - -
Most restricted value is 0. - - - - - - - -**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -> -> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. - -
The following list shows the supported values: - -- 0 (default) – Synchronization is off. -- 1 – Synchronization is on. - -
To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge: - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Disables or enables the camera. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Connectivity/AllowBluetooth** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows the user to enable Bluetooth or restrict access. - -
The following list shows the supported values: - -- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on. -- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. - -> [!NOTE] -> This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. - -- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. - -
If this is not set or it is deleted, the default value of 2 (Allow) is used. - -
Most restricted value is 0. - - - - - - - -**Connectivity/AllowCellularData** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. - -
The following list shows the supported values: - -- 0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511. -- 1 (default) – Allow the cellular data channel. The user can turn it off. -- 2 - Allow the cellular data channel. The user cannot turn it off. - - - - - - - -**Connectivity/AllowCellularDataRoaming** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. - -
The following list shows the supported values: - -- 0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511. -- 1 (default) – Allow cellular data roaming. -- 2 - Allow cellular data roaming on. The user cannot turn it off. - -
Most restricted value is 0. - -
To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. - -
To validate on mobile devices, do the following: - -1. Go to Cellular & SIM. -2. Click on the SIM (next to the signal strength icon) and select **Properties**. -3. On the Properties page, select **Data roaming options**. - - - - - - - -**Connectivity/AllowConnectedDevices** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. - -
The following list shows the supported values: - -- 1 (default) - Allow (CDP service available). -- 0 - Disable (CDP service not available). - - - - - - - -**Connectivity/AllowNFC** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows near field communication (NFC) on the device. - -
The following list shows the supported values: - -- 0 – Do not allow NFC capabilities. -- 1 (default) – Allow NFC capabilities. - -
Most restricted value is 0. - - - - - - - -**Connectivity/AllowUSBConnection** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. - -
Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Connectivity/AllowVPNOverCellular** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies what type of underlying connections VPN is allowed to use. - -
The following list shows the supported values: - -- 0 – VPN is not allowed over cellular. -- 1 (default) – VPN can use any connection, including cellular. - -
Most restricted value is 0. - - - - - - - -**Connectivity/AllowVPNRoamingOverCellular** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Prevents the device from connecting to VPN when the device roams over cellular networks. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Connectivity/HardenedUNCPaths** - - -This policy setting configures secure access to UNC paths. - -If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. - - - - - - -ADMX Info: -- GP english name: *Hardened UNC Paths* -- GP name: *Pol_HardenedPaths* -- GP path: *Network/Network Provider* -- GP ADMX file name: *networkprovider.admx* - - - - -**CredentialProviders/AllowPINLogon** - - -This policy setting allows you to control whether a domain user can sign in using a convenience PIN. - -If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. - -If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. - -Note: The user's domain password will be cached in the system vault when using this feature. - -To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. - - - - - -ADMX Info: -- GP english name: *Turn on convenience PIN sign-in* -- GP name: *AllowDomainPINLogon* -- GP path: *System/Logon* -- GP ADMX file name: *credentialproviders.admx* - - - - -**CredentialProviders/BlockPicturePassword** - - -This policy setting allows you to control whether a domain user can sign in using a picture password. - -If you enable this policy setting, a domain user can't set up or sign in with a picture password. - -If you disable or don't configure this policy setting, a domain user can set up and use a picture password. - -Note that the user's domain password will be cached in the system vault when using this feature. - - - - - -ADMX Info: -- GP english name: *Turn off picture password sign-in* -- GP name: *BlockDomainPicturePassword* -- GP path: *System/Logon* -- GP ADMX file name: *credentialproviders.admx* - - - - -**CredentialsUI/DisablePasswordReveal** - - -This policy setting allows you to configure the display of the password reveal button in password entry user experiences. - -If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. - -If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. - -By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. - -The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. - - - - - -ADMX Info: -- GP english name: *Do not display the password reveal button* -- GP name: *DisablePasswordReveal* -- GP path: *Windows Components/Credential User Interface* -- GP ADMX file name: *credui.admx* - - - - -**CredentialsUI/EnumerateAdministrators** - - -This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. - -If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. - -If you disable this policy setting, users will always be required to type a user name and password to elevate. - - - - - -ADMX Info: -- GP english name: *Enumerate administrator accounts on elevation* -- GP name: *EnumerateAdministrators* -- GP path: *Windows Components/Credential User Interface* -- GP ADMX file name: *credui.admx* - - - - -**Cryptography/AllowFipsAlgorithmPolicy** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows the Federal Information Processing Standard (FIPS) policy. - -
The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1– Allowed. - - - - - - - -**Cryptography/TLSCipherSuites** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. - - - - - - - -**DataProtection/AllowDirectMemoryAccess** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**DataProtection/LegacySelectiveWipeID** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Setting used by Windows 8.1 Selective Wipe. - -> [!NOTE] -> This policy is not recommended for use in Windows 10. - - - - - - - - -**DataUsage/SetCost3G** - - -This policy setting configures the cost of 3G connections on the local machine. - -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: - -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - -- Variable: This connection is costed on a per byte basis. - -If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. - - - - - - -ADMX Info: -- GP english name: *Set 3G Cost* -- GP name: *SetCost3G* -- GP path: *Network/WWAN Service/WWAN Media Cost* -- GP ADMX file name: *wwansvc.admx* - - - - -**DataUsage/SetCost4G** - - -This policy setting configures the cost of 4G connections on the local machine. - -If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: - -- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - -- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - -- Variable: This connection is costed on a per byte basis. - -If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. - - - - - - -ADMX Info: -- GP english name: *Set 4G Cost* -- GP name: *SetCost4G* -- GP path: *Network/WWAN Service/WWAN Media Cost* -- GP ADMX file name: *wwansvc.admx* - - - - -**Defender/AllowArchiveScanning** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows scanning of archives. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowBehaviorMonitoring** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows Windows Defender Behavior Monitoring functionality. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowCloudProtection** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowEmailScanning** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows scanning of email. - -
The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - - - - - - - -**Defender/AllowFullScanOnMappedNetworkDrives** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows a full scan of mapped network drives. - -
The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - - - - - - - -**Defender/AllowFullScanRemovableDriveScanning** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows a full scan of removable drives. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowIOAVProtection** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows Windows Defender IOAVP Protection functionality. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowIntrusionPreventionSystem** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows Windows Defender Intrusion Prevention functionality. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowOnAccessProtection** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows Windows Defender On Access Protection functionality. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowRealtimeMonitoring** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows Windows Defender Realtime Monitoring functionality. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowScanningNetworkFiles** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows a scanning of network files. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowScriptScanning** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows Windows Defender Script Scanning functionality. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AllowUserUIAccess** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**Defender/AvgCPULoadFactor** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Represents the average CPU load factor for the Windows Defender scan (in percent). - -
Valid values: 0–100 - -
The default value is 50. - - - - - - - -**Defender/DaysToRetainCleanedMalware** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Time period (in days) that quarantine items will be stored on the system. - -
Valid values: 0–90 - -
The default value is 0, which keeps items in quarantine, and does not automatically remove them. - - - - - - - -**Defender/ExcludedExtensions** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
llows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". - - - - - - - -**Defender/ExcludedPaths** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1". - - - - - - - -**Defender/ExcludedProcesses** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows an administrator to specify a list of files opened by processes to ignore during a scan. - -> [!IMPORTANT] -> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path. - - -
Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". - - - - - - - -**Defender/PUAProtection** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. - -
The following list shows the supported values: - -- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications. -- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats. -- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. - - - - - - - -**Defender/RealTimeScanDirection** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Controls which sets of files should be monitored. - -> [!NOTE] -> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files. - - -
The following list shows the supported values: - -- 0 (default) – Monitor all files (bi-directional). -- 1 – Monitor incoming files. -- 2 – Monitor outgoing files. - - - - - - - -**Defender/ScanParameter** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Selects whether to perform a quick scan or full scan. - -
The following list shows the supported values: - -- 1 (default) – Quick scan -- 2 – Full scan - - - - - - - -**Defender/ScheduleQuickScanTime** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Selects the time of day that the Windows Defender quick scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - - -
Valid values: 0–1380 - -
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. - -
The default value is 120 - - - - - - - -**Defender/ScheduleScanDay** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Selects the day that the Windows Defender scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - - -
The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Monday -- 2 – Tuesday -- 3 – Wednesday -- 4 – Thursday -- 5 – Friday -- 6 – Saturday -- 7 – Sunday -- 8 – No scheduled scan - - - - - - - -**Defender/ScheduleScanTime** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Selects the time of day that the Windows Defender scan should run. - -> [!NOTE] -> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. - - -
Valid values: 0–1380. - -
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. - -
The default value is 120. - - - - - - - -**Defender/SignatureUpdateInterval** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. - -
Valid values: 0–24. - -
A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day. - -
The default value is 8. - - - - - - - -**Defender/SubmitSamplesConsent** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data. - -
The following list shows the supported values: - -- 0 – Always prompt. -- 1 (default) – Send safe samples automatically. -- 2 – Never send. -- 3 – Send all samples automatically. - - - - - - - -**Defender/ThreatSeverityDefaultAction** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. - -
This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3 - -
The following list shows the supported values for threat severity levels: - -- 1 – Low severity threats -- 2 – Moderate severity threats -- 4 – High severity threats -- 5 – Severe threats - -
The following list shows the supported values for possible actions: - -- 1 – Clean -- 2 – Quarantine -- 3 – Remove -- 6 – Allow -- 8 – User defined -- 10 – Block - - - - - - - -**DeliveryOptimization/DOAbsoluteMaxCacheSize** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. - -
The default value is 10. - - - - - - - -**DeliveryOptimization/DOAllowVPNPeerCaching** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. - -
The default value is 0 (FALSE). - - - - - - - -**DeliveryOptimization/DODownloadMode** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. - -
The following list shows the supported values: - -- 0 –HTTP only, no peering. -- 1 (default) – HTTP blended with peering behind the same NAT. -- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. -- 3 – HTTP blended with Internet peering. -- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. -- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. - - - - - - - -**DeliveryOptimization/DOGroupId** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity. - -> [!NOTE] -> You must use a GUID as the group ID. - - - - - - - - -**DeliveryOptimization/DOMaxCacheAge** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. - -
The default value is 259200 seconds (3 days). - - - - - - - -**DeliveryOptimization/DOMaxCacheSize** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). - -
The default value is 20. - - - - - - - -**DeliveryOptimization/DOMaxDownloadBandwidth** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. - -
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - - - - - -**DeliveryOptimization/DOMaxUploadBandwidth** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization. - -
The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth). - - - - - - - -**DeliveryOptimization/DOMinBackgroundQos** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. - -
The default value is 500. - - - - - - - -**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. - -
The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. - - - - - - - -**DeliveryOptimization/DOMinDiskSizeAllowedToPeer** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB. - -> [!NOTE] -> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. - -
The default value is 32 GB. - - - - - - - - -**DeliveryOptimization/DOMinFileSizeToCache** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB. - -
The default value is 100 MB. - - - - - - - - -**DeliveryOptimization/DOMinRAMAllowedToPeer** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. - -
The default value is 4 GB. - - - - - - - -**DeliveryOptimization/DOModifyCacheDrive** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. - -
By default, %SystemDrive% is used to store the cache. - - - - - - - -**DeliveryOptimization/DOMonthlyUploadDataCap** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. - -
The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. - -
The default value is 20. - - - - - - - -**DeliveryOptimization/DOPercentageMaxDownloadBandwidth** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - -
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. - - - - - - - -**Desktop/PreventUserRedirectionOfProfileFolders** - - -Prevents users from changing the path to their profile folders. - -By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. - -If you enable this setting, users are unable to type a new location in the Target box. - - - - - -ADMX Info: -- GP english name: *Prohibit User from manually redirecting Profile Folders* -- GP name: *DisablePersonalDirChange* -- GP path: *Desktop* -- GP ADMX file name: *desktop.admx* - - - - -**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** - - -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. - -If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. - -If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. - - - - - -ADMX Info: -- GP english name: *Prevent installation of devices that match any of these device IDs* -- GP name: *DeviceInstall_IDs_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* - - - - -**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** - - -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. - -If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. - -If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. - - - - - -ADMX Info: -- GP english name: *Prevent installation of devices using drivers that match these device setup classes* -- GP name: *DeviceInstall_Classes_Deny* -- GP path: *System/Device Installation/Device Installation Restrictions* -- GP ADMX file name: *deviceinstallation.admx* - - - - -**DeviceLock/AllowIdleReturnWithoutPassword** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether the user must input a PIN or password when the device resumes from an idle state. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - - - - - - - -**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -
The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - -> [!IMPORTANT] -> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. - - - - - - - - -**DeviceLock/AllowSimpleDevicePassword** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - - - - -**DeviceLock/AlphanumericDevicePasswordRequired** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education). - - -
The following list shows the supported values: - -- 0 – Alphanumeric PIN or password required. -- 1 – Numeric PIN or password required. -- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password. - -> [!NOTE] -> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. -> -> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. - - - - - - - - -**DeviceLock/DevicePasswordEnabled** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether device lock is enabled. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. - - -
The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - -> [!IMPORTANT] -> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect: -> -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock -> - MinDevicePasswordComplexCharacters - - -> [!IMPORTANT] -> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set: -> -> - MinDevicePasswordLength is set to 4 -> - MinDevicePasswordComplexCharacters is set to 1 -> -> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0: -> -> - MinDevicePasswordLength -> - MinDevicePasswordComplexCharacters - -> [!Important] -> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: -> - **DevicePasswordEnabled** is the parent policy of the following: -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MinDevicePasswordComplexCharacters -> - DevicePasswordExpiration -> - DevicePasswordHistory -> - MaxDevicePasswordFailedAttempts -> - MaxInactivityTimeDeviceLock - - - - - - - -**DeviceLock/DevicePasswordExpiration** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies when the password expires (in days). - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -
The following list shows the supported values: - -- An integer X where 0 <= X <= 730. -- 0 (default) - Passwords do not expire. - -
If all policy values = 0 then 0; otherwise, Min policy value is the most secure value. - -
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - - - - -**DeviceLock/DevicePasswordHistory** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies how many passwords can be stored in the history that can’t be used. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -
The following list shows the supported values: - -- An integer X where 0 <= X <= 50. -- 0 (default) - -
The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. - -
Max policy value is the most restricted. - -
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - - - - -**DeviceLock/EnforceLockScreenAndLogonImage** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. - -> [!NOTE] -> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. - - -
Value type is a string, which is the full image filepath and filename. - - - - - - - -**DeviceLock/EnforceLockScreenProvider** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider. - -> [!NOTE] -> This policy is only enforced in Windows 10 for mobile devices. - - -
Value type is a string, which is the AppID. - - - - - - - -**DeviceLock/MaxDevicePasswordFailedAttempts** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
This policy has different behaviors on the mobile device and desktop. - -- On a mobile device, when the user reaches the value set by this policy, then the device is wiped. -- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. - - Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. - -
The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices. -- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. - -
Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. - -
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - - - - -**DeviceLock/MaxInactivityTimeDeviceLock** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -
The following list shows the supported values: - -- An integer X where 0 <= X <= 999. -- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." - -
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). - - - - - - - -**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. - - -
The following list shows the supported values: - -- An integer X where 0 <= X <= 999. -- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." - - - - - - - -**DeviceLock/MinDevicePasswordComplexCharacters** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. - -
PIN enforces the following behavior for desktop and mobile devices: - -- 1 - Digits only -- 2 - Digits and lowercase letters are required -- 3 - Digits, lowercase letters, and uppercase letters are required -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required - -
The default value is 1. The following list shows the supported values and actual enforced values: - -
| Account Type | -Supported Values | -Actual Enforced Values | -
|---|---|---|
Mobile |
-1,2,3,4 |
-Same as the value set |
-
Desktop Local Accounts |
-1,2,3 |
-3 |
-
Desktop Microsoft Accounts |
-1,2 |
-|
Desktop Domain Accounts |
-Not supported |
-Not supported | -
Enforced values for Local and Microsoft Accounts: - -- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. -- Passwords for local accounts must meet the following minimum requirements: - - - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - - Be at least six characters in length - - Contain characters from three of the following four categories: - - - English uppercase characters (A through Z) - - English lowercase characters (a through z) - - Base 10 digits (0 through 9) - - Special characters (!, $, \#, %, etc.) - -
The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. - -
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - - - - - -**DeviceLock/MinDevicePasswordLength** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies the minimum number or characters required in the PIN or password. - -> [!NOTE] -> This policy must be wrapped in an Atomic command. -> -> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. - - -
The following list shows the supported values: - -- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6. -- Not enforced. -- The default value is 4 for mobile devices and desktop devices. - -
Max policy value is the most restricted. - -
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). - - - - - - - -**DeviceLock/PreventLockScreenSlideShow** - - -Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. - -By default, users can enable a slide show that will run after they lock the machine. - -If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. - - - - - -ADMX Info: -- GP english name: *Prevent enabling lock screen slide show* -- GP name: *CPL_Personalization_NoLockScreenSlideshow* -- GP path: *Control Panel/Personalization* -- GP ADMX file name: *ControlPanelDisplay.admx* - - - - -**DeviceLock/ScreenTimeoutWhileLocked** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices. - -
Minimum supported value is 10. - -
Maximum supported value is 1800. - -
The default value is 10. - -
Most restricted value is 0. - - - - - - - -**Display/TurnOffGdiDPIScalingForApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. - -
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off. - -
If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. - -
If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications. - -
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. - -
To validate on Desktop, do the following: - -1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms. -2. Run the app and observe blurry text. - - - - - - - -**Display/TurnOnGdiDPIScalingForApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. - -
This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on. - -
If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list. - -
If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. - -
If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. - -
To validate on Desktop, do the following: - -1. Configure the setting for an app which uses GDI. -2. Run the app and observe crisp text. - - - - - - - -**EnterpriseCloudPrint/CloudPrintOAuthAuthority** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. - -
The datatype is a string. - -
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs". - - - - - - - -**EnterpriseCloudPrint/CloudPrintOAuthClientId** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. - -
The datatype is a string. - -
The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". - - - - - - - -**EnterpriseCloudPrint/CloudPrintResourceId** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. - -
The datatype is a string. - -
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". - - - - - - - -**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. - -
The datatype is a string. - -
The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com". - - - - - - - -**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. - -
The datatype is an integer. - -
For Windows Mobile, the default value is 20. - - - - - - - -**EnterpriseCloudPrint/MopriaDiscoveryResourceId** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. - -
The datatype is a string. - -
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint". - - - - - - - -**ErrorReporting/CustomizeConsentSettings** - - -This policy setting determines the consent behavior of Windows Error Reporting for specific event types. - -If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - -- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. - -- 1 (Always ask before sending data): Windows prompts the user for consent to send reports. - -- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. - -- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. - -- 4 (Send all data): Any data requested by Microsoft is sent automatically. - -If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. - - - - - -ADMX Info: -- GP english name: *Customize consent settings* -- GP name: *WerConsentCustomize_2* -- GP path: *Windows Components/Windows Error Reporting/Consent* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**ErrorReporting/DisableWindowsErrorReporting** - - -This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. - -If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. - -If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. - - - - - -ADMX Info: -- GP english name: *Disable Windows Error Reporting* -- GP name: *WerDisable_2* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**ErrorReporting/DisplayErrorNotification** - - -This policy setting controls whether users are shown an error dialog box that lets them report an error. - -If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. - -If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users. - -If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. - -See also the Configure Error Reporting policy setting. - - - - - -ADMX Info: -- GP english name: *Display Error Notification* -- GP name: *PCH_ShowUI* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**ErrorReporting/DoNotSendAdditionalData** - - -This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. - -If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. - -If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. - - - - - -ADMX Info: -- GP english name: *Do not send additional data* -- GP name: *WerNoSecondLevelData_2* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**ErrorReporting/PreventCriticalErrorDisplay** - - -This policy setting prevents the display of the user interface for critical errors. - -If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors. - -If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors. - - - - - -ADMX Info: -- GP english name: *Prevent display of the user interface for critical errors* -- GP name: *WerDoNotShowUI* -- GP path: *Windows Components/Windows Error Reporting* -- GP ADMX file name: *ErrorReporting.admx* - - - - -**EventLogService/ControlEventLogBehavior** - - -This policy setting controls Event Log behavior when the log file reaches its maximum size. - -If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. - -If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. - -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. - - - - - -ADMX Info: -- GP english name: *Control Event Log behavior when the log file reaches its maximum size* -- GP name: *Channel_Log_Retention_1* -- GP path: *Windows Components/Event Log Service/Application* -- GP ADMX file name: *eventlog.admx* - - - - -**EventLogService/SpecifyMaximumFileSizeApplicationLog** - - -This policy setting specifies the maximum size of the log file in kilobytes. - -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. - -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - - - - -ADMX Info: -- GP english name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_1* -- GP path: *Windows Components/Event Log Service/Application* -- GP ADMX file name: *eventlog.admx* - - - - -**EventLogService/SpecifyMaximumFileSizeSecurityLog** - - -This policy setting specifies the maximum size of the log file in kilobytes. - -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. - -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - - - - -ADMX Info: -- GP english name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_2* -- GP path: *Windows Components/Event Log Service/Security* -- GP ADMX file name: *eventlog.admx* - - - - -**EventLogService/SpecifyMaximumFileSizeSystemLog** - - -This policy setting specifies the maximum size of the log file in kilobytes. - -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. - -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. - - - - - -ADMX Info: -- GP english name: *Specify the maximum log file size (KB)* -- GP name: *Channel_LogMaxSize_4* -- GP path: *Windows Components/Event Log Service/System* -- GP ADMX file name: *eventlog.admx* - - - - -**Experience/AllowCopyPaste** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether copy and paste is allowed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowCortana** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - -
Benefit to the customer: - -
Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive. - -
Sample scenario: - -
An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. - - - - - - - -**Experience/AllowDeviceDiscovery** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows users to turn on/off device discovery UX. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowFindMyDevice** - - -
Added in Windows 10, version 1703. This policy turns on Find My Device feature. - -
When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. - -
When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. - - - - - - - -**Experience/AllowManualMDMUnenrollment** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether to allow the user to delete the workplace account using the workplace control panel. - -> [!NOTE] -> The MDM server can always remotely delete the account. - - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowSIMErrorDialogPromptWhenNoSIM** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether to display dialog prompt when no SIM card is detected. - -
The following list shows the supported values: - -- 0 – SIM card dialog prompt is not displayed. -- 1 (default) – SIM card dialog prompt is displayed. - - - - - - - -**Experience/AllowScreenCapture** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether screen capture is allowed. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowSyncMySettings** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). - -
The following list shows the supported values: - -- 0 – Sync settings is not allowed. -- 1 (default) – Sync settings allowed. - - - - - - - -**Experience/AllowTailoredExperiencesWithDiagnosticData** - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -
Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. - -
Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. - -> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowTaskSwitcher** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows task switching on the device. - -
The following list shows the supported values: - -- 0 – Task switching not allowed. -- 1 (default) – Task switching allowed. - - - - - - - -**Experience/AllowThirdPartySuggestionsInWindowsSpotlight** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. - -
The following list shows the supported values: - -- 0 – Third-party suggestions not allowed. -- 1 (default) – Third-party suggestions allowed. - - - - - - - -**Experience/AllowVoiceRecording** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether voice recording is allowed for apps. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowWindowsConsumerFeatures** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. - -> [!IMPORTANT] -> This node must be accessed using the following paths: -> -> - **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy. -> - **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result. - - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 – Allowed. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowWindowsSpotlight** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowWindowsSpotlightOnActionCenter** - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -
Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowWindowsSpotlightWindowsWelcomeExperience** - - -> [!NOTE] -> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. - -
Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. -The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Experience/AllowWindowsTips** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Enabled. - - - - - - - -**Experience/ConfigureWindowsSpotlightOnLockScreen** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. - -
The following list shows the supported values: - -- 0 – None. -- 1 (default) – Windows spotlight enabled. -- 2 – placeholder only for future extension. Using this value has no effect. - - - - - - - -**Experience/DoNotShowFeedbackNotifications** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Prevents devices from showing feedback questions from Microsoft. - -
If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback. - -
If you disable or do not configure this policy setting, users can control how often they receive feedback questions. - -
The following list shows the supported values: - -- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. -- 1 – Feedback notifications are disabled. - - - - - - - -**Games/AllowAdvancedGamingServices** - - -
Placeholder only. Currently not supported. - - - - - - - -**InternetExplorer/AddSearchProvider** - - -This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. - -If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. - -If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. - - - - - -ADMX Info: -- GP english name: *Add a specific list of search providers to the user's list of search providers* -- GP name: *AddSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowActiveXFiltering** - - -This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. - -If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. - -If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. - - - - - -ADMX Info: -- GP english name: *Turn on ActiveX Filtering* -- GP name: *TurnOnActiveXFiltering* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowAddOnList** - - -This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. - -This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied. - -If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: - -Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. - -Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. - -If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. - - - - - -ADMX Info: -- GP english name: *Add-on List* -- GP name: *AddonManagement_AddOnList* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowEnhancedProtectedMode** - - -Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. - -If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. - -If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. - -If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. - - - - - -ADMX Info: -- GP english name: *Turn on Enhanced Protected Mode* -- GP name: *Advanced_EnableEnhancedProtectedMode* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowEnterpriseModeFromToolsMenu** - - -This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. - -If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports. - -If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. - - - - - -ADMX Info: -- GP english name: *Let users turn on and use Enterprise Mode from the Tools menu* -- GP name: *EnterpriseModeEnable* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowEnterpriseModeSiteList** - - -This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. - -If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. - -If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. - - - - - -ADMX Info: -- GP english name: *Use the Enterprise Mode IE website list* -- GP name: *EnterpriseModeSiteList* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowInternetExplorer7PolicyList ** - - -This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. - -If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. - -If you disable or do not configure this policy setting, the user can add and remove sites from the list. - - - - - -ADMX Info: -- GP english name: *Use Policy List of Internet Explorer 7 sites* -- GP name: *CompatView_UsePolicyList* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowInternetExplorerStandardsMode** - - -This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. - -If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. - -If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. - -If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. - - - - - -ADMX Info: -- GP english name: *Turn on Internet Explorer Standards Mode for local intranet* -- GP name: *CompatView_IntranetSites* -- GP path: *Windows Components/Internet Explorer/Compatibility View* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowInternetZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Internet Zone Template* -- GP name: *IZ_PolicyInternetZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowIntranetZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Intranet Zone Template* -- GP name: *IZ_PolicyIntranetZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLocalMachineZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Local Machine Zone Template* -- GP name: *IZ_PolicyLocalMachineZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLockedDownInternetZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Locked-Down Internet Zone Template* -- GP name: *IZ_PolicyInternetZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLockedDownIntranetZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Locked-Down Intranet Zone Template* -- GP name: *IZ_PolicyIntranetZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Locked-Down Local Machine Zone Template* -- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Locked-Down Restricted Sites Zone Template* -- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowOneWordEntry** - - -This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. - -If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. - -If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. - - - - - -ADMX Info: -- GP english name: *Go to an intranet site for a one-word entry in the Address bar* -- GP name: *UseIntranetSiteForOneWordEntry* -- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowSiteToZoneAssignmentList** - - -This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. - -Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) - -If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: - -Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. - -Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. - -If you disable or do not configure this policy, users may choose their own site-to-zone assignments. - - - - - -ADMX Info: -- GP english name: *Site to Zone Assignment List* -- GP name: *IZ_Zonemaps* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowSuggestedSites** - - -This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit. - -If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions. - -If you disable this policy setting, the entry points and functionality associated with this feature are turned off. - -If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. - - - - - -ADMX Info: -- GP english name: *Turn on Suggested Sites* -- GP name: *EnableSuggestedSites* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowTrustedSitesZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Trusted Sites Zone Template* -- GP name: *IZ_PolicyTrustedSitesZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Locked-Down Trusted Sites Zone Template* -- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/AllowsRestrictedSitesZoneTemplate** - - -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. - -If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. - -If you disable this template policy setting, no security level is configured. - -If you do not configure this template policy setting, no security level is configured. - -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. - -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. - - - - - -ADMX Info: -- GP english name: *Restricted Sites Zone Template* -- GP name: *IZ_PolicyRestrictedSitesZoneTemplate* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableAdobeFlash** - - -This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. - -If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. - -If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. - -Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. - - - - - -ADMX Info: -- GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects* -- GP name: *DisableFlashInIE* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableBypassOfSmartScreenWarnings** - - -This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. - -If you enable this policy setting, SmartScreen Filter warnings block the user. - -If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - - - - -ADMX Info: -- GP english name: *Prevent bypassing SmartScreen Filter warnings* -- GP name: *DisableSafetyFilterOverride* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles** - - -This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. - -If you enable this policy setting, SmartScreen Filter warnings block the user. - -If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. - - - - - -ADMX Info: -- GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet* -- GP name: *DisableSafetyFilterOverrideForAppRepUnknown* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** - - -This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). - -If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. - -If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. - -If you do not configure this policy setting, the user can choose to participate in the CEIP. - - - - - -ADMX Info: -- GP english name: *Prevent participation in the Customer Experience Improvement Program* -- GP name: *SQM_DisableCEIP* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableEnclosureDownloading** - - -This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. - -If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. - -If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. - - - - - -ADMX Info: -- GP english name: *Prevent downloading of enclosures* -- GP name: *Disable_Downloading_of_Enclosures* -- GP path: *Windows Components/RSS Feeds* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableEncryptionSupport** - - -This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match. - -If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. - -If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. - -Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. - - - - - -ADMX Info: -- GP english name: *Turn off encryption support* -- GP name: *Advanced_SetWinInetProtocols* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableFirstRunWizard** - - -This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. - -If you enable this policy setting, you must make one of the following choices: -Skip the First Run wizard, and go directly to the user's home page. -Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. - -Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen. - -If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. - - - - - -ADMX Info: -- GP english name: *Prevent running First Run wizard* -- GP name: *NoFirstRunCustomise* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableFlipAheadFeature** - - -This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. - -Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop. - -If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. - -If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. - -If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. - - - - - -ADMX Info: -- GP english name: *Turn off the flip ahead with page prediction feature* -- GP name: *Advanced_DisableFlipAhead* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableHomePageChange** - - -The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. - -If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. - -If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. - - - - - -ADMX Info: -- GP english name: *Disable changing home page settings* -- GP name: *RestrictHomePage* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableProxyChange** - - -This policy setting specifies if a user can change proxy settings. - -If you enable this policy setting, the user will not be able to configure proxy settings. - -If you disable or do not configure this policy setting, the user can configure proxy settings. - - - - - -ADMX Info: -- GP english name: *Prevent changing proxy settings* -- GP name: *RestrictProxy* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableSearchProviderChange** - - -This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. - -If you enable this policy setting, the user cannot change the default search provider. - -If you disable or do not configure this policy setting, the user can change the default search provider. - - - - - -ADMX Info: -- GP english name: *Prevent changing the default search provider* -- GP name: *NoSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableSecondaryHomePageChange** - - -Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. - -If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. - -If you disable or do not configure this policy setting, the user can add secondary home pages. - -Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages. - - - - - -ADMX Info: -- GP english name: *Disable changing secondary home page settings* -- GP name: *SecondaryHomePages* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DisableUpdateCheck** - - -Prevents Internet Explorer from checking whether a new version of the browser is available. - -If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. - -If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. - -This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. - - - - - -ADMX Info: -- GP english name: *Disable Periodic Check for Internet Explorer software updates* -- GP name: *NoUpdateCheck* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DoNotAllowUsersToAddSites** - - -Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. - -If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) - -If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. - -This policy prevents users from changing site management settings for security zones established by the administrator. - -Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. - -Also, see the "Security zones: Use only machine settings" policy. - - - - - -ADMX Info: -- GP english name: *Security Zones: Do not allow users to add/delete sites* -- GP name: *Security_zones_map_edit* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DoNotAllowUsersToChangePolicies** - - -Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. - -If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. - -If you disable this policy or do not configure it, users can change the settings for security zones. - -This policy prevents users from changing security zone settings established by the administrator. - -Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. - -Also, see the "Security zones: Use only machine settings" policy. - - - - - -ADMX Info: -- GP english name: *Security Zones: Do not allow users to change policies* -- GP name: *Security_options_edit* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DoNotBlockOutdatedActiveXControls** - - -This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. - -If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. - -If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. - -For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - - - - -ADMX Info: -- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* -- GP name: *VerMgmtDisable* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** - - -This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. - -If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: - -1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" -2. "hostname". For example, if you want to include http://example, use "example" -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" - -If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. - -For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. - - - - - -ADMX Info: -- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains* -- GP name: *VerMgmtDomainAllowlist* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IncludeAllLocalSites** - - -This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. - -If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. - -If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). - -If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. - - - - - -ADMX Info: -- GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones* -- GP name: *IZ_IncludeUnspecifiedLocalSites* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IncludeAllNetworkPaths** - - -This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. - -If you enable this policy setting, all network paths are mapped into the Intranet Zone. - -If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). - -If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. - - - - - -ADMX Info: -- GP english name: *Intranet Sites: Include all network paths (UNCs)* -- GP name: *IZ_UNCAsIntranet* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/InternetZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. - -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. - -If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/SearchProviderList** - - -This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. - -If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. - -If you disable or do not configure this policy setting, the user can configure his or her list of search providers. - - - - - -ADMX Info: -- GP english name: *Restrict search providers to a specific list* -- GP name: *SpecificSearchProvider* -- GP path: *Windows Components/Internet Explorer* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** - - -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). - -If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - -If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. - - - - - -ADMX Info: -- GP english name: *Access data sources across domains* -- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** - - -This policy setting manages whether users will be automatically prompted for ActiveX control installations. - -If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - -If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. - -If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for ActiveX controls* -- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** - - -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. - -If you enable this setting, users will receive a file download dialog for automatic download attempts. - -If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. - - - - - -ADMX Info: -- GP english name: *Automatic prompting for file downloads* -- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowFontDownloads** - - -This policy setting allows you to manage whether pages of the zone may download HTML fonts. - -If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. - -If you disable this policy setting, HTML fonts are prevented from downloading. - -If you do not configure this policy setting, HTML fonts can be downloaded automatically. - - - - - -ADMX Info: -- GP english name: *Allow font downloads* -- GP name: *IZ_PolicyFontDownload_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** - - -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. - -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. - -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. - -If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. - - - - - -ADMX Info: -- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* -- GP name: *IZ_PolicyZoneElevationURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** - - -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. - -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. - -If you disable this policy setting, Internet Explorer will not execute unsigned managed components. - -If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. - - - - - -ADMX Info: -- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* -- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowScriptlets** - - -This policy setting allows you to manage whether the user can run scriptlets. - -If you enable this policy setting, the user can run scriptlets. - -If you disable this policy setting, the user cannot run scriptlets. - -If you do not configure this policy setting, the user can enable or disable scriptlets. - - - - - -ADMX Info: -- GP english name: *Allow scriptlets* -- GP name: *IZ_Policy_AllowScriptlets_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** - - -This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. - -If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. - -If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. - -If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. - -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. - - - - - -ADMX Info: -- GP english name: *Turn on SmartScreen Filter scan* -- GP name: *IZ_Policy_Phishing_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** - - -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. - -If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - -If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. - - - - - -ADMX Info: -- GP english name: *Userdata persistence* -- GP name: *IZ_PolicyUserdataPersistence_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** - - -This policy setting allows you to manage ActiveX controls not marked as safe. - -If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. - -If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. - -If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. - -If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. - - - - - -ADMX Info: -- GP english name: *Initialize and script ActiveX controls not marked as safe* -- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** - - -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. - -If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. - -If you disable this policy setting, users cannot open windows and frames to access applications from different domains. - -If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. - - - - - -ADMX Info: -- GP english name: *Navigate windows and frames across different domains* -- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5* -- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* -- GP ADMX file name: *inetres.admx* - - - - -**Kerberos/AllowForestSearchOrder** - - -This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). - -If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. - -If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. - - - - - -ADMX Info: -- GP english name: *None* -- GP name: *ForestSearch* -- GP ADMX file name: *Kerberos.admx* - - - - -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** - - -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. - -If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. - - - - - - -ADMX Info: -- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring* -- GP name: *EnableCbacAndArmor* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -**Kerberos/RequireKerberosArmoring** - - -This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. - -Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. - -If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. - -Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. - -If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. - - - - - - -ADMX Info: -- GP english name: *Fail authentication requests when Kerberos armoring is not available* -- GP name: *ClientRequireFast* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -**Kerberos/RequireStrictKDCValidation** - - -This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. - -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. - -If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. - - - - - - -ADMX Info: -- GP english name: *Require strict KDC validation* -- GP name: *ValidateKDC* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -**Kerberos/SetMaximumContextTokenSize** - - -This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. - -The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. - -If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. - -If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. - -Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. - - - - - - - -ADMX Info: -- GP english name: *Set maximum Kerberos SSPI context token buffer size* -- GP name: *MaxTokenSize* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -**Licensing/AllowWindowsEntitlementReactivation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. - -
The following list shows the supported values: - -- 0 – Disable Windows license reactivation on managed devices. -- 1 (default) – Enable Windows license reactivation on managed devices. - - - - - - - -**Licensing/DisallowKMSClientOnlineAVSValidation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. - -
The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - - - - - - - -**Location/EnableLocation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
- |
-
Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. - -> [!IMPORTANT] -> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy. - -
The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - -
To validate on Desktop, do the following: - -1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. -2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. - - - - - - - -**LockDown/AllowEdgeSwipe** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. - -
The following list shows the supported values: - -- 0 - disallow edge swipe. -- 1 (default, not configured) - allow edge swipe. - -
The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. - - - - - - - -**Maps/AllowOfflineMapsDownloadOverMeteredConnection** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. - -
The following list shows the supported values: - -- 65535 (default) – Not configured. User's choice. -- 0 – Disabled. Force disable auto-update over metered connection. -- 1 – Enabled. Force enable auto-update over metered connection. - -
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - - - - - -**Maps/EnableOfflineMapsAutoUpdate** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Disables the automatic download and update of map data. - -
The following list shows the supported values: - -- 65535 (default) – Not configured. User's choice. -- 0 – Disabled. Force off auto-update. -- 1 – Enabled. Force on auto-update. - -
After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. - - - - - - - -**Messaging/AllowMMS** - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - -
Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement. - -
The following list shows the supported values: - -- 0 - Disabled. -- 1 (default) - Enabled. - - - - - - - -**Messaging/AllowMessageSync** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. - -
The following list shows the supported values: - -- 0 - message sync is not allowed and cannot be changed by the user. -- 1 - message sync is allowed. The user can change this setting. - - - - - - - -**Messaging/AllowRCS** - - -> [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. - -
Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement. - -
The following list shows the supported values: - -- 0 - Disabled. -- 1 (default) - Enabled. - - - - - - - -**NetworkIsolation/EnterpriseCloudResources** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. - - - - - - - -**NetworkIsolation/EnterpriseIPRange** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example: - -``` syntax -10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255, -192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff, -2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff, -2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, -fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - -``` - - - - - - - -**NetworkIsolation/EnterpriseIPRangesAreAuthoritative** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. - - - - - - - -**NetworkIsolation/EnterpriseInternalProxyServers** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. - - - - - - - -**NetworkIsolation/EnterpriseNetworkDomainNames** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". - -> [!NOTE] -> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. - - -
Here are the steps to create canonical domain names: - -1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. -2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. -3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). - - - - - - - -**NetworkIsolation/EnterpriseProxyServers** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". - - - - - - - -**NetworkIsolation/EnterpriseProxyServersAreAuthoritative** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. - - - - - - - -**NetworkIsolation/NeutralResources** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
List of domain names that can used for work or personal resource. - - - - - - - -**Notifications/DisallowNotificationMirroring** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. - -
For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. - -
No reboot or service restart is required for this policy to take effect. - -
The following list shows the supported values: - -- 0 (default)– enable notification mirroring. -- 1 – disable notification mirroring. - - - - - - - -**Power/AllowStandbyWhenSleepingPluggedIn** - - -This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. - -If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. - -If you disable this policy setting, standby states (S1-S3) are not allowed. - - - - - -ADMX Info: -- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)* -- GP name: *AllowStandbyStatesAC_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - -**Power/RequirePasswordWhenComputerWakesOnBattery** - - -This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. - -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. - -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - - - - -ADMX Info: -- GP english name: *Require a password when a computer wakes (on battery)* -- GP name: *DCPromptForPasswordOnResume_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - -**Power/RequirePasswordWhenComputerWakesPluggedIn** - - -This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. - -If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. - -If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. - - - - - -ADMX Info: -- GP english name: *Require a password when a computer wakes (plugged in)* -- GP name: *ACPromptForPasswordOnResume_2* -- GP path: *System/Power Management/Sleep Settings* -- GP ADMX file name: *power.admx* - - - - -**Printers/PointAndPrintRestrictions** - - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. - -If you enable this policy setting: --Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. --You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. - -If you do not configure this policy setting: --Windows Vista client computers can point and print to any server. --Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - -If you disable this policy setting: --Windows Vista client computers can create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. --The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - - - - -ADMX Info: -- GP english name: *Point and Print Restrictions* -- GP name: *PointAndPrint_Restrictions_Win7* -- GP path: *Printers* -- GP ADMX file name: *Printing.admx* - - - - -**Printers/PointAndPrintRestrictions_User** - - -This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. - -If you enable this policy setting: --Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. --You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. - -If you do not configure this policy setting: --Windows Vista client computers can point and print to any server. --Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. - -If you disable this policy setting: --Windows Vista client computers can create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. --Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. --Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. --The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). - - - - - -ADMX Info: -- GP english name: *Point and Print Restrictions* -- GP name: *PointAndPrint_Restrictions* -- GP ADMX file name: *Printing.admx* - - - - -**Printers/PublishPrinters** - - -Determines whether the computer's shared printers can be published in Active Directory. - -If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory. - -If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available. - -Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory". - - - - - -ADMX Info: -- GP english name: *Allow printers to be published* -- GP name: *PublishPrinters* -- GP path: *Printers* -- GP ADMX file name: *Printing2.admx* - - - - -**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. - -
The following list shows the supported values: - -- 0 (default)– Not allowed. -- 1 – Allowed. - -
Most restricted value is 0. - - - - - - - -**Privacy/AllowInputPersonalization** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Updated in the next major update of Windows 10. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. - -
The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Allowed. - -
Most restricted value is 0. - - - - - - - -**Privacy/DisableAdvertisingId** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Enables or disables the Advertising ID. - -
The following list shows the supported values: - -- 0 – Disabled. -- 1 – Enabled. -- 65535 (default)- Not configured. - -
Most restricted value is 0. - - - - - - - -**Privacy/LetAppsAccessAccountInfo** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - -**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - -**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - - - - - -**Privacy/LetAppsAccessCalendar** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - -**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - -**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - - - - - -**Privacy/LetAppsAccessCallHistory** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - -**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - -**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - - - - - -**Privacy/LetAppsAccessCamera** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessContacts** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessEmail** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access email. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessLocation** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access location. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessMessaging** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessMicrophone** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessMotion** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessNotifications** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessPhone** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessRadios** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessTasks** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. - - - - - - - -**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessTrustedDevices** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsGetDiagnosticInfo** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsRunInBackground** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. - -
The following list shows the supported values: - -- 0 – User in control (default). -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. -> [!WARNING] -> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - - - - - -**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsSyncWithDevices** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. - -
The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - -
Most restricted value is 2. - - - - - - - -**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - - - - - -**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** - - -
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -MobileEnterprise | -
|---|---|---|---|---|---|---|
|
- |
- - | |
- |
- |
- |
-
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
-
-
-
-
-
-
-
-**RemoteAssistance/CustomizeWarningMessages**
-
-
-This policy setting lets you customize warning messages.
-
-The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.
-
-The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.
-
-If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.
-
-If you disable this policy setting, the user sees the default warning message.
-
-If you do not configure this policy setting, the user sees the default warning message.
-
-
-
-
-
-ADMX Info:
-- GP english name: *Customize warning messages*
-- GP name: *RA_Options*
-- GP path: *System/Remote Assistance*
-- GP ADMX file name: *remoteassistance.admx*
-
-
-
-
-**RemoteAssistance/SessionLogging**
-
-
-This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
-
-If you enable this policy setting, log files are generated.
-
-If you disable this policy setting, log files are not generated.
-
-If you do not configure this setting, application-based settings are used.
-
-
-
-
-
-ADMX Info:
-- GP english name: *Turn on session logging*
-- GP name: *RA_Logging*
-- GP path: *System/Remote Assistance*
-- GP ADMX file name: *remoteassistance.admx*
-
-
-
-
-**RemoteAssistance/SolicitedRemoteAssistance**
-
-
-This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
-
-If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
-
-If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
-
-If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
-
-If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
-
-The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
-
-The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
-
-If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
-
-
-
-
-
-ADMX Info:
-- GP english name: *Configure Solicited Remote Assistance*
-- GP name: *RA_Solicit*
-- GP path: *System/Remote Assistance*
-- GP ADMX file name: *remoteassistance.admx*
-
-
-
-
-**RemoteAssistance/UnsolicitedRemoteAssistance**
-
-
-This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
-
-If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
-
-If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
-
-If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
-
-If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
-
-To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
-
- Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
-
- When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified.
-
- When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**Search/AllowSearchToUseLocation**
-
-
- Specifies whether search can leverage location information.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**Search/AllowUsingDiacritics**
-
-
- Allows the use of diacritics.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**Search/AlwaysUseAutoLangDetection**
-
-
- Specifies whether to always use automatic language detection when indexing content and properties.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**Search/DisableBackoff**
-
-
- If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
-
- The following list shows the supported values:
-
-- 0 (default) – Disable.
-- 1 – Enable.
-
-
-
-
-
-
-
-**Search/DisableRemovableDriveIndexing**
-
-
- This policy setting configures whether or not locations on removable drives can be added to libraries.
-
- If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed.
-
- If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed.
-
- The following list shows the supported values:
-
-- 0 (default) – Disable.
-- 1 – Enable.
-
-
-
-
-
-
-
-**Search/PreventIndexingLowDiskSpaceMB**
-
-
- Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB.
-
- Enable this policy if computers in your environment have extremely limited hard drive space.
-
- When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size.
-
- The following list shows the supported values:
-
-- 0 – Disable.
-- 1 (default) – Enable.
-
-
-
-
-
-
-
-**Search/PreventRemoteQueries**
-
-
- If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
-
- The following list shows the supported values:
-
-- 0 – Disable.
-- 1 (default) – Enable.
-
-
-
-
-
-
-
-**Search/SafeSearchPermissions**
-
-
- Specifies what level of safe search (filtering adult content) is required.
-
- The following list shows the supported values:
-
-- 0 – Strict, highest filtering against adult content.
-- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered).
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**Security/AllowAddProvisioningPackage**
-
-
- Specifies whether to allow the runtime configuration agent to install provisioning packages.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
-
- Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Security/AllowManualRootCertificateInstallation**
-
-
- Specifies whether the user is allowed to manually install root and intermediate CA certificates.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**Security/AllowRemoveProvisioningPackage**
-
-
- Specifies whether to allow the runtime configuration agent to remove provisioning packages.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Security/AntiTheftMode**
-
-
- Allows or disallow Anti Theft Mode on the device.
-
- The following list shows the supported values:
-
-- 0 – Don't allow Anti Theft Mode.
-- 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent).
-
-
-
-
-
-
-
-**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
-
- Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
-
- Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
-
- The following list shows the supported values:
-
-- 0 (default) – Encryption enabled.
-- 1 – Encryption disabled.
-
-
-
-
-
-
-
-**Security/RequireDeviceEncryption**
-
-
- Allows enterprise to turn on internal storage encryption.
-
- The following list shows the supported values:
-
-- 0 (default) – Encryption is not required.
-- 1 – Encryption is required.
-
- Most restricted value is 1.
-
-> [!IMPORTANT]
-> If encryption has been enabled, it cannot be turned off by using this policy.
-
-
-
-
-
-
-
-
-**Security/RequireProvisioningPackageSignature**
-
-
- Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
-
- The following list shows the supported values:
-
-- 0 (default) – Not required.
-- 1 – Required.
-
-
-
-
-
-
-
-**Security/RequireRetrieveHealthCertificateOnBoot**
-
-
- Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
-
- The following list shows the supported values:
-
-- 0 (default) – Not required.
-- 1 – Required.
-
- Setting this policy to 1 (Required):
-
-- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0.
-- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
-
-> [!NOTE]
-> We recommend that this policy is set to Required after MDM enrollment.
-
-
- Most restricted value is 1.
-
-
-
-
-
-
-
-**Settings/AllowAutoPlay**
-
-
- Allows the user to change Auto Play settings.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-> [!NOTE]
-> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
-
-
-
-
-
-
-
-
-**Settings/AllowDataSense**
-
-
- Allows the user to change Data Sense settings.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/AllowDateTime**
-
-
- Allows the user to change date and time settings.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/AllowEditDeviceName**
-
-
- Allows editing of the device name.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/AllowLanguage**
-
-
- Allows the user to change the language settings.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/AllowPowerSleep**
-
-
- Allows the user to change power and sleep settings.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/AllowRegion**
-
-
- Allows the user to change the region settings.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/AllowSignInOptions**
-
-
- Allows the user to change sign-in options.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/AllowVPN**
-
-
- Allows the user to change VPN settings.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/AllowWorkplace**
-
-
- Allows user to change workplace settings.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/AllowYourAccount**
-
-
- Allows user to change account settings.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Settings/ConfigureTaskbarCalendar**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
-
- The following list shows the supported values:
-
-- 0 (default) – User will be allowed to configure the setting.
-- 1 – Don't show additional calendars.
-- 2 - Simplified Chinese (Lunar).
-- 3 - Traditional Chinese (Lunar).
-
-
-
-
-
-
-
-**Settings/PageVisibilityList**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
-
- The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
-
- showonly:about;bluetooth
-
- If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
-
- The format of the PageVisibilityList value is as follows:
-
-- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
-- There are two variants: one that shows only the given pages and one which hides the given pages.
-- The first variant starts with the string "showonly:" and the second with the string "hide:".
-- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
-- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi".
-
- The default value for this setting is an empty string, which is interpreted as show everything.
-
- Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
-
- showonly:wi-fi;bluetooth
-
- Example 2, specifies that the wifi page should not be shown:
-
- hide:wifi
-
- To validate on Desktop, do the following:
-
-1. Open System Settings and verfiy that the About page is visible and accessible.
-2. Configure the policy with the following string: "hide:about".
-3. Open System Settings again and verify that the About page is no longer accessible.
-
-
-
-
-
-
-
-**SmartScreen/EnableAppInstallControl**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
-
- The following list shows the supported values:
-
-- 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
-- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
-
-
-
-
-
-
-
-**SmartScreen/EnableSmartScreenInShell**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
-
- The following list shows the supported values:
-
-- 0 – Turns off SmartScreen in Windows.
-- 1 – Turns on SmartScreen in Windows.
-
-
-
-
-
-
-
-**SmartScreen/PreventOverrideForFilesInShell**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
-
- The following list shows the supported values:
-
-- 0 – Employees can ignore SmartScreen warnings and run malicious files.
-- 1 – Employees cannot ignore SmartScreen warnings and run malicious files.
-
-
-
-
-
-
-
-**Speech/AllowSpeechModelUpdate**
-
-
- Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
-
-
-**Start/ForceStartSize**
-
-
- Forces the start screen size.
-
- The following list shows the supported values:
-
-- 0 (default) – Do not force size of Start.
-- 1 – Force non-fullscreen size of Start.
-- 2 - Force a fullscreen size of Start.
-
- If there is policy configuration conflict, the latest configuration request is applied to the device.
-
-
-
-
-
-
-
-**Start/HideAppList**
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list.
-
- The following list shows the supported values:
-
-- 0 (default) – None.
-- 1 – Hide all apps list.
-- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app.
-- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app.
-
- To validate on Desktop, do the following:
-
-- 1 - Enable policy and restart explorer.exe
-- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out.
-- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out.
-- 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out.
-
-
-
-
-
-
-
-**Start/HideChangeAccountSettings**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify that "Change account settings" is not available.
-
-
-
-
-
-
-
-**Start/HideFrequentlyUsedApps**
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable "Show most used apps" in the Settings app.
-2. Use some apps to get them into the most used group in Start.
-3. Enable policy.
-4. Restart explorer.exe
-5. Check that "Show most used apps" Settings toggle is grayed out.
-6. Check that most used apps do not appear in Start.
-
-
-
-
-
-
-
-**Start/HideHibernate**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Laptop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify "Hibernate" is not available.
-
-> [!NOTE]
-> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
-
-
-
-
-
-
-
-**Start/HideLock**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify "Lock" is not available.
-
-
-
-
-
-
-
-**Start/HidePowerButton**
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, and verify the power button is not available.
-
-
-
-
-
-
-
-**Start/HideRecentJumplists**
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings.
-2. Pin Photos to the taskbar, and open some images in the photos app.
-3. Right click the pinned photos app and verify that a jumplist of recently opened items pops up.
-4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists.
-5. Enable policy.
-6. Restart explorer.exe
-7. Check that Settings toggle is grayed out.
-8. Repeat Step 2.
-9. Right Click pinned photos app and verify that there is no jumplist of recent items.
-
-
-
-
-
-
-
-**Start/HideRecentlyAddedApps**
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable "Show recently added apps" in the Settings app.
-2. Check if there are recently added apps in Start (if not, install some).
-3. Enable policy.
-4. Restart explorer.exe
-5. Check that "Show recently added apps" Settings toggle is grayed out.
-6. Check that recently added apps do not appear in Start.
-
-
-
-
-
-
-
-**Start/HideRestart**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available.
-
-
-
-
-
-
-
-**Start/HideShutDown**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available.
-
-
-
-
-
-
-
-**Start/HideSignOut**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify "Sign out" is not available.
-
-
-
-
-
-
-
-**Start/HideSleep**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the Power button, and verify that "Sleep" is not available.
-
-
-
-
-
-
-
-**Start/HideSwitchAccount**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Open Start, click on the user tile, and verify that "Switch account" is not available.
-
-
-
-
-
-
-
-**Start/HideUserTile**
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
- Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile.
-
- The following list shows the supported values:
-
-- 0 (default) – False (do not hide).
-- 1 - True (hide).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Log off.
-3. Log in, and verify that the user tile is gone from Start.
-
-
-
-
-
-
-
-**Start/ImportEdgeAssets**
-
-
-> [!NOTE]
-> This policy requires reboot to take effect.
-
- Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
-
-> [!IMPORTANT]
-> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
-
- The value set for this policy is an XML string containing Edge assets. An example XML string is provided in the [Microsoft Edge assets example](#microsoft-edge-assets-example) later in this topic.
-
- To validate on Desktop, do the following:
-
-1. Set policy with an XML for Edge assets.
-2. Set StartLayout policy to anything so that it would trigger the Edge assets import.
-3. Sign out/in.
-4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path.
-
-
-
-
-
-
-
-**Start/NoPinningToTaskbar**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
-
- The following list shows the supported values:
-
-- 0 (default) – False (pinning enabled).
-- 1 - True (pinning disabled).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Right click on a program pinned to taskbar.
-3. Verify that "Unpin from taskbar" menu does not show.
-4. Open Start and right click on one of the app list icons.
-5. Verify that More->Pin to taskbar menu does not show.
-
-
-
-
-
-
-
-**Start/StartLayout**
-
-
- Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
-
- This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic.
-
-
-
-
-
-
-
-**Storage/EnhancedStorageDevices**
-
-
-This policy setting configures whether or not Windows will activate an Enhanced Storage device.
-
-If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.
-
-If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.
-
-
-
-
-
-ADMX Info:
-- GP english name: *Do not allow Windows to activate Enhanced Storage devices*
-- GP name: *TCGSecurityActivationDisabled*
-- GP path: *System/Enhanced Storage Access*
-- GP ADMX file name: *enhancedstorage.admx*
-
-
-
-
-**System/AllowBuildPreview**
-
-
- This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software.
-
- If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable.
-
- The following list shows the supported values:
-
-- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software.
-- 1 – Allowed. Users can make their devices available for downloading and installing preview software.
-- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software.
-
-
-
-
-
-
-
-**System/AllowEmbeddedMode**
-
-
- Specifies whether set general purpose device to be in embedded mode.
-
- The following list shows the supported values:
-
-- 0 (default) – Not allowed.
-- 1 – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**System/AllowExperimentation**
-
-
- This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior.
-
- The following list shows the supported values:
-
-- 0 – Disabled.
-- 1 (default) – Permits Microsoft to configure device settings only.
-- 2 – Allows Microsoft to conduct full experimentations.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**System/AllowFontProviders**
-
-
- Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
-
- Supported values:
-
-- false - No traffic to fs.microsoft.com and only locally-installed fonts are available.
-- true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
-
- This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
-
- This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content.
-
-> [!Note]
-> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service.
-
- To verify if System/AllowFontProviders is set to true:
-
-- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com.
-
-
-
-
-
-
-
-**System/AllowLocation**
-
-
- Specifies whether to allow app access to the Location service.
-
- The following list shows the supported values:
-
-- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search.
-- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off.
-- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed.
-
- Most restricted value is 0.
-
- While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy.
-
- When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting.
-
- For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off.
-
-
-
-
-
-
-
-**System/AllowStorageCard**
-
-
- Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
-
- The following list shows the supported values:
-
-- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card.
-- 1 (default) – Allow a storage card.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**System/AllowTelemetry**
-
-
- Allow the device to send diagnostic and usage telemetry data, such as Watson.
-
- The following tables describe the supported values:
-
- 0 – Not allowed. 1 – Allowed, except for Secondary Data Requests. 2 (default) – Allowed. 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. Most restricted value is 0.
-
-
-
-
-
-
-
-**System/AllowUserToResetPhone**
-
-
- Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed to reset to factory default settings.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**System/BootStartDriverInitialization**
-
-
-N/A
-
-
-
-
-
-ADMX Info:
-- GP english name: *Boot-Start Driver Initialization Policy*
-- GP name: *POL_DriverLoadPolicy_Name*
-- GP path: *System/Early Launch Antimalware*
-- GP ADMX file name: *earlylauncham.admx*
-
-
-
-
-**System/DisableOneDriveFileSync**
-
-
- Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
-
-* Users cannot access OneDrive from the OneDrive app or file picker.
-* Windows Store apps cannot access OneDrive using the WinRT API.
-* OneDrive does not appear in the navigation pane in File Explorer.
-* OneDrive files are not kept in sync with the cloud.
-* Users cannot automatically upload photos and videos from the camera roll folder.
-
- If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage.
-
- The following list shows the supported values:
-
-- 0 (default) – False (sync enabled).
-- 1 – True (sync disabled).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Restart machine.
-3. Verify that OneDrive.exe is not running in Task Manager.
-
-
-
-
-
-
-
-**System/DisableSystemRestore**
-
-
-Allows you to disable System Restore.
-
-This policy setting allows you to turn off System Restore.
-
-System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.
-
-If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.
-
-If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.
-
-Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.
-
-
-
-
-
-ADMX Info:
-- GP english name: *Turn off System Restore*
-- GP name: *SR_DisableSR*
-- GP path: *System/System Restore*
-- GP ADMX file name: *systemrestore.admx*
-
-
-
-
-**System/TelemetryProxy**
-
-
- Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
-
- If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
-
-
-
-
-
-
-
-**TextInput/AllowIMELogging**
-
-
- Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**TextInput/AllowIMENetworkAccess**
-
-
- Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**TextInput/AllowInputPanel**
-
-
- Allows the IT admin to disable the touch/handwriting keyboard on Windows.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**TextInput/AllowJapaneseIMESurrogatePairCharacters**
-
-
- Allows the Japanese IME surrogate pair characters.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**TextInput/AllowJapaneseIVSCharacters**
-
-
- Allows Japanese Ideographic Variation Sequence (IVS) characters.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**TextInput/AllowJapaneseNonPublishingStandardGlyph**
-
-
- Allows the Japanese non-publishing standard glyph.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**TextInput/AllowJapaneseUserDictionary**
-
-
- Allows the Japanese user dictionary.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**TextInput/AllowKeyboardTextSuggestions**
-
-
- Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
-
- The following list shows the supported values:
-
-- 0 – Disabled.
-- 1 (default) – Enabled.
-
- Most restricted value is 0.
-
- To validate that text prediction is disabled on Windows 10 for desktop, do the following:
-
-1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button.
-2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app.
-3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool.
-
-
-
-
-
-
-
-**TextInput/AllowKoreanExtendedHanja**
-
-
- This policy has been deprecated.
-
-
-
-
-
-
-
-**TextInput/AllowLanguageFeaturesUninstall**
-
-
- Allows the uninstall of language features, such as spell checkers, on a device.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**TextInput/ExcludeJapaneseIMEExceptJIS0208**
-
-
- Allows the users to restrict character code range of conversion by setting the character filter.
-
- The following list shows the supported values:
-
-- 0 (default) – No characters are filtered.
-- 1 – All characters except JIS0208 are filtered.
-
-
-
-
-
-
-
-**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**
-
-
- Allows the users to restrict character code range of conversion by setting the character filter.
-
- The following list shows the supported values:
-
-- 0 (default) – No characters are filtered.
-- 1 – All characters except JIS0208 and EUDC are filtered.
-
-
-
-
-
-
-
-**TextInput/ExcludeJapaneseIMEExceptShiftJIS**
-
-
- Allows the users to restrict character code range of conversion by setting the character filter.
-
- The following list shows the supported values:
-
-- 0 (default) – No characters are filtered.
-- 1 – All characters except ShiftJIS are filtered.
-
-
-
-
-
-
-
-**TimeLanguageSettings/AllowSet24HourClock**
-
-
- Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
-
- The following list shows the supported values:
-
-- 0 – Locale default setting.
-- 1 (default) – Set 24 hour clock.
-
-
-
-
-
-
-
-**Update/ActiveHoursEnd**
-
-
- Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
-
-> [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
-
- Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
- The default is 17 (5 PM).
-
-
-
-
-
-
-
-**Update/ActiveHoursMaxRange**
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
-
- Supported values are 8-18.
-
- The default value is 18 (hours).
-
-
-
-
-
-
-
-**Update/ActiveHoursStart**
-
-
- Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
-
-> [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
-
- Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
- The default value is 8 (8 AM).
-
-
-
-
-
-
-
-**Update/AllowAutoUpdate**
-
-
- Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
-
- Supported operations are Get and Replace.
-
- The following list shows the supported values:
-
-- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
-- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
-- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
-- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
-- 5 – Turn off automatic updates.
-
-> [!IMPORTANT]
-> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
-
-
- If the policy is not configured, end-users get the default behavior (Auto install and restart).
-
-
-
-
-
-
-
-**Update/AllowMUUpdateService**
-
-
- Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
-
- The following list shows the supported values:
-
-- 0 – Not allowed or not configured.
-- 1 – Allowed. Accepts updates received through Microsoft Update.
-
-
-
-
-
-
-
-**Update/AllowNonMicrosoftSignedUpdate**
-
-
- Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
-
- Supported operations are Get and Replace.
-
- The following list shows the supported values:
-
-- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
-- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
-
- This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
-
-
-
-
-
-
-
-**Update/AllowUpdateService**
-
-
- Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
-
- Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store
-
- Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.
-
- The following list shows the supported values:
-
-- 0 – Update service is not allowed.
-- 1 (default) – Update service is allowed.
-
-> [!NOTE]
-> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
-
-
-
-
-
-
-
-
-**Update/AutoRestartNotificationSchedule**
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
-
- Supported values are 15, 30, 60, 120, and 240 (minutes).
-
- The default value is 15 (minutes).
-
-
-
-
-
-
-
-**Update/AutoRestartRequiredNotificationDismissal**
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
-
- The following list shows the supported values:
-
-- 1 (default) – Auto Dismissal.
-- 2 – User Dismissal.
-
-
-
-
-
-
-
-**Update/BranchReadinessLevel**
-
-
- Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
-
- The following list shows the supported values:
-
-- 16 (default) – User gets all applicable upgrades from Current Branch (CB).
-- 32 – User gets upgrades from Current Branch for Business (CBB).
-
-
-
-
-
-
-
-**Update/DeferFeatureUpdatesPeriodInDays**
-
-
- Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
- Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
-
- Supported values are 0-365 days.
-
-> [!IMPORTANT]
-> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
-
-
-
-
-
-
-
-**Update/DeferQualityUpdatesPeriodInDays**
-
-
- Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
-
- Supported values are 0-30.
-
-
-
-
-
-
-
-**Update/DeferUpdatePeriod**
-
-
- Allows IT Admins to specify update delays for up to 4 weeks.
-
- Supported values are 0-4, which refers to the number of weeks to defer updates.
-
- In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:
-
-- Update/RequireDeferUpgrade must be set to 1
-- System/AllowTelemetry must be set to 1 or higher
-
- If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
- If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
- OS upgrade 8 months 1 month Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 Update 1 month 1 week Other/cannot defer No deferral No deferral Any update category not specifically enumerated above falls into this category. Definition Update - E0789628-CE08-4437-BE74-2495B842F43B Allows IT Admins to specify additional upgrade delays for up to 8 months.
-
- Supported values are 0-8, which refers to the number of months to defer upgrades.
-
- If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
- If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
-
-
-
-
-
-**Update/DetectionFrequency**
-
-
- Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
-
-
-
-
-
-
-
-**Update/EngagedRestartDeadline**
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
-
- Supported values are 2-30 days.
-
- The default value is 0 days (not specified).
-
-
-
-
-
-
-
-**Update/EngagedRestartSnoozeSchedule**
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
-
- Supported values are 1-3 days.
-
- The default value is 3 days.
-
-
-
-
-
-
-
-**Update/EngagedRestartTransitionSchedule**
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-
- Supported values are 2-30 days.
-
- The default value is 7 days.
-
-
-
-
-
-
-
-**Update/ExcludeWUDriversInQualityUpdate**
-
-
- Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-
- The following list shows the supported values:
-
-- 0 (default) – Allow Windows Update drivers.
-- 1 – Exclude Windows Update drivers.
-
-
-
-
-
-
-
-
-**Update/FillEmptyContentUrls**
-
-
- Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
-
-> [!NOTE]
-> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
-
- The following list shows the supported values:
-
-- 0 (default) – Disabled.
-- 1 – Enabled.
-
-
-
-
-
-
-
-**Update/IgnoreMOAppDownloadLimit**
-
-
- Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
-
-> [!WARNING]
-> Setting this policy might cause devices to incur costs from MO operators.
-
- The following list shows the supported values:
-
-- 0 (default) – Do not ignore MO download limit for apps and their updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
-
- To validate this policy:
-
-1. Enable the policy ensure the device is on a cellular network.
-2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
-
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
-
-
-
-
-
-
-
-
-**Update/IgnoreMOUpdateDownloadLimit**
-
-
- Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
-
-> [!WARNING]
-> Setting this policy might cause devices to incur costs from MO operators.
-
- The following list shows the supported values:
-
-- 0 (default) – Do not ignore MO download limit for OS updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
-
- To validate this policy:
-
-1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
-
-3. Verify that any downloads that are above the download size limit will complete without being paused.
-
-
-
-
-
-
-
-
-**Update/PauseDeferrals**
-
-
- Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
-
- The following list shows the supported values:
-
-- 0 (default) – Deferrals are not paused.
-- 1 – Deferrals are paused.
-
- If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
- If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
-
-
-
-
-
-
-**Update/PauseFeatureUpdates**
-
-
- Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
-
- Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
-
- The following list shows the supported values:
-
-- 0 (default) – Feature Updates are not paused.
-- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
-
-
-
-
-
-
-
-**Update/PauseFeatureUpdatesStartTime**
-
-
- Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
-
- Value type is string. Supported operations are Add, Get, Delete, and Replace.
-
-
-
-
-
-
-
-**Update/PauseQualityUpdates**
-
-
- Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
-
- The following list shows the supported values:
-
-- 0 (default) – Quality Updates are not paused.
-- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
-
-
-
-
-
-
-
-**Update/PauseQualityUpdatesStartTime**
-
-
- Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
-
- Value type is string. Supported operations are Add, Get, Delete, and Replace.
-
-
-
-
-
-
-
-**Update/RequireDeferUpgrade**
-
-
- Allows the IT admin to set a device to CBB train.
-
- The following list shows the supported values:
-
-- 0 (default) – User gets upgrades from Current Branch.
-- 1 – User gets upgrades from Current Branch for Business.
-
-
-
-
-
-
-
-**Update/RequireUpdateApproval**
-
-
- Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
-
- Supported operations are Get and Replace.
-
- The following list shows the supported values:
-
-- 0 – Not configured. The device installs all applicable updates.
-- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
-
-
-
-
-
-
-
-**Update/ScheduleImminentRestartWarning**
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
-
- Supported values are 15, 30, or 60 (minutes).
-
- The default value is 15 (minutes).
-
-
-
-
-
-
-
-**Update/ScheduleRestartWarning**
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
-
- Supported values are 2, 4, 8, 12, or 24 (hours).
-
- The default value is 4 (hours).
-
-
-
-
-
-
-
-**Update/ScheduledInstallDay**
-
-
- Enables the IT admin to schedule the day of the update installation.
-
- The data type is a string.
-
- Supported operations are Add, Delete, Get, and Replace.
-
- The following list shows the supported values:
-
-- 0 (default) – Every day
-- 1 – Sunday
-- 2 – Monday
-- 3 – Tuesday
-- 4 – Wednesday
-- 5 – Thursday
-- 6 – Friday
-- 7 – Saturday
-
-
-
-
-
-
-
-**Update/ScheduledInstallTime**
-
-
- Enables the IT admin to schedule the time of the update installation.
-
- The data type is a string.
-
- Supported operations are Add, Delete, Get, and Replace.
-
- Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
-
- The default value is 3.
-
-
-
-
-
-
-
-**Update/SetAutoRestartNotificationDisable**
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
-
- The following list shows the supported values:
-
-- 0 (default) – Enabled
-- 1 – Disabled
-
-
-
-
-
-
-
-**Update/SetEDURestart**
-
-
- Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
-
- The following list shows the supported values:
-
-- 0 - not configured
-- 1 - configured
-
-
-
-
-
-
-
-**Update/UpdateServiceUrl**
-
-
- Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
-
- Supported operations are Get and Replace.
-
- The following list shows the supported values:
-
-- Not configured. The device checks for updates from Microsoft Update.
-- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
-
-Example
-
-``` syntax
- Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-
- This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
-
- To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
-
- Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
-
-> [!Note]
-> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
-> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
-> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
-
-
-
-
-
-
-
-**WiFi/AllowWiFiHotSpotReporting**
-
-
- This policy has been deprecated.
-
-
-
-
-
-
-
-**Wifi/AllowAutoConnectToWiFiSenseHotspots**
-
-
- Allow or disallow the device to automatically connect to Wi-Fi hotspots.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**Wifi/AllowInternetSharing**
-
-
- Allow or disallow internet sharing.
-
- The following list shows the supported values:
-
-- 0 – Do not allow the use of Internet Sharing.
-- 1 (default) – Allow the use of Internet Sharing.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**Wifi/AllowManualWiFiConfiguration**
-
-
- Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
-
- The following list shows the supported values:
-
-- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed.
-- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed.
-
- Most restricted value is 0.
-
-> [!NOTE]
-> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted.
-
-
-
-
-
-
-
-
-**Wifi/AllowWiFi**
-
-
- Allow or disallow WiFi connection.
-
- The following list shows the supported values:
-
-- 0 – WiFi connection is not allowed.
-- 1 (default) – WiFi connection is allowed.
-
- Most restricted value is 0.
-
-
-
-
-
-
-
-**Wifi/AllowWiFiDirect**
-
-
- Added in Windows 10, version 1703. Allow WiFi Direct connection..
-
-- 0 - WiFi Direct connection is not allowed.
-- 1 - WiFi Direct connection is allowed.
-
-
-
-
-
-
-
-**Wifi/WLANScanMode**
-
-
- Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
-
- Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency.
-
- The default value is 0.
-
- Supported operations are Add, Delete, Get, and Replace.
-
-
-
-
-
-
-
-**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
-
-
- Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
-
- Value type is bool. The following list shows the supported values:
-
-- 0 - app suggestions are not allowed.
-- 1 (default) -allow app suggestions.
-
-
-
-
-
-
-
-**WindowsInkWorkspace/AllowWindowsInkWorkspace**
-
-
- Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
-
- Value type is int. The following list shows the supported values:
-
-- 0 - access to ink workspace is disabled. The feature is turned off.
-- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
-- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.
-
-
-
-
-
-
-
-**WindowsLogon/DisableLockScreenAppNotifications**
-
-
-This policy setting allows you to prevent app notifications from appearing on the lock screen.
-
-If you enable this policy setting, no app notifications are displayed on the lock screen.
-
-If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
-
-
-
-
-
-ADMX Info:
-- GP english name: *Turn off app notifications on the lock screen*
-- GP name: *DisableLockScreenAppNotifications*
-- GP path: *System/Logon*
-- GP ADMX file name: *logon.admx*
-
-
-
-
-**WindowsLogon/DontDisplayNetworkSelectionUI**
-
-
-This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
-
-If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
-
-If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
-
-
-
-
-
-ADMX Info:
-- GP english name: *Do not display network selection UI*
-- GP name: *DontDisplayNetworkSelectionUI*
-- GP path: *System/Logon*
-- GP ADMX file name: *logon.admx*
-
-
-
-
-**WindowsLogon/HideFastUserSwitching**
-
-
- Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
-
- Value type is bool. The following list shows the supported values:
-
-- 0 (default) - Diabled (visible).
-- 1 - Enabled (hidden).
-
- To validate on Desktop, do the following:
-
-1. Enable policy.
-2. Verify that the Switch account button in Start is hidden.
-
-
-
-
-
-
-
-**WirelessDisplay/AllowProjectionFromPC**
-
-
- Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
-
-- 0 - your PC cannot discover or project to other devices.
-- 1 - your PC can discover and project to other devices
-
-
-
-
-
-
-
-**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**
-
-
- Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
-
-- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct.
-- 1 - your PC can discover and project to other devices over infrastructure.
-
-
-
-
-
-
-
-**WirelessDisplay/AllowProjectionToPC**
-
-
- Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
-
- If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-
- Value type is integer. Valid value:
-
-- 0 - projection to PC is not allowed. Always off and the user cannot enable it.
-- 1 (default) - projection to PC is allowed. Enabled only above the lock screen.
-
-
-
-
-
-
-
-**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
-
-
- Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
-
-- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct.
-- 1 - your PC is discoverable and other devices can project to it over infrastructure.
-
-
-
-
-
-
-
-**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
-
-
- Added in Windows 10, version 1703.
-
-
-
-
-
-
-
-**WirelessDisplay/RequirePinForPairing**
-
-
- Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
-
- If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**.
-
- Value type is integer. Valid value:
-
-- 0 (default) - PIN is not required.
-- 1 - PIN is required.
-
-
-
-
-
- Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
@@ -174,6 +197,10 @@ The following diagram shows the Policy configuration service provider in tree fo
+
+
+**AboveLock/AllowToasts**
+
Specifies whether to allow toast notifications above the device lock screen.
@@ -215,6 +238,10 @@ The following diagram shows the Policy configuration service provider in tree fo
+
+
+**Accounts/AllowAddingNonMicrosoftAccountsManually**
+
Specifies whether user is allowed to add non-MSA email accounts.
@@ -259,6 +282,10 @@ The following diagram shows the Policy configuration service provider in tree fo
+
+
+**Accounts/AllowMicrosoftAccountConnection**
+
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
@@ -300,6 +323,10 @@ The following diagram shows the Policy configuration service provider in tree fo
+
+
+**Accounts/AllowMicrosoftAccountSignInAssistant**
+
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
@@ -339,44 +362,10 @@ The following diagram shows the Policy configuration service provider in tree fo
-
- Specifies a list of the domains that are allowed to sync email on the device.
-
- The data type is a string.
-
- The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
-
-
-
-
-
Specifies a list of the domains that are allowed to sync email on the device.
+
+ The data type is a string.
+
+ The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov".
+
+
+
+
+
**ActiveXControls/ApprovedInstallationSites**
@@ -1039,6 +1039,29 @@ ADMX Info:
**ApplicationDefaults/DefaultAssociationsConfiguration**
+
+ Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
@@ -1100,6 +1123,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+**ApplicationManagement/AllowAllTrustedApps**
+
Specifies whether non Windows Store apps are allowed.
@@ -1142,47 +1165,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
- Specifies whether automatic update of apps from Windows Store are allowed.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
Specifies whether automatic update of apps from Windows Store are allowed.
+
+ The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+ Most restricted value is 0.
+
+
+
+
+
**ApplicationManagement/AllowDeveloperUnlock**
+
+ Specifies whether developer unlock is allowed.
@@ -1225,6 +1248,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+**ApplicationManagement/AllowGameDVR**
+
Specifies whether multiple users of the same app can share data.
@@ -1310,6 +1333,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+**ApplicationManagement/AllowStore**
+
Specifies whether app store is allowed at the device.
@@ -1351,6 +1374,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+**ApplicationManagement/ApplicationRestrictions**
+
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded.
@@ -1446,6 +1469,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+**ApplicationManagement/RequirePrivateStoreOnly**
+
Allows disabling of the retail catalog and only enables the Private store.
@@ -1496,6 +1519,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+**ApplicationManagement/RestrictAppDataToSystemVolume**
+
Specifies whether application data is restricted to the system drive.
@@ -1537,6 +1560,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+**ApplicationManagement/RestrictAppToSystemVolume**
+
Specifies whether the installation of applications is restricted to the system drive.
@@ -1578,29 +1601,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
- Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
@@ -1741,6 +1764,10 @@ ADMX Info:
+
+
+**Authentication/AllowSecondaryAuthenticationDevice**
+
Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
@@ -1782,29 +1805,6 @@ ADMX Info:
-
- Specifies the BitLocker Drive Encryption method and cipher strength.
-
- The following list shows the supported values:
-
-- 3- AES 128-bit
-- 4- AES 256
-- 6 -XTS 128
-- 7 - XTS 256
-
-
-
-
-
Specifies the BitLocker Drive Encryption method and cipher strength.
+
+ The following list shows the supported values:
+
+- 3- AES 128-bit
+- 4- AES 256
+- 6 -XTS 128
+- 7 - XTS 256
+
+
+
+
+
**Bluetooth/AllowAdvertising**
+
+ Specifies whether the device can send out Bluetooth advertisements.
@@ -1951,6 +1974,10 @@ ADMX Info:
+
+
+**Bluetooth/AllowDiscoverableMode**
+
Specifies whether other Bluetooth-enabled devices can discover the device.
@@ -1994,6 +2017,10 @@ ADMX Info:
+
+
+**Bluetooth/AllowPrepairing**
+
Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
@@ -2033,6 +2056,10 @@ ADMX Info:
+
+
+**Bluetooth/LocalDeviceName**
+
Sets the local Bluetooth device name.
@@ -2071,6 +2094,10 @@ ADMX Info:
+
+
+**Bluetooth/ServicesAllowedList**
+
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
@@ -2107,29 +2130,6 @@ ADMX Info:
-
- Specifies whether autofill on websites is allowed.
@@ -2176,6 +2199,10 @@ ADMX Info:
+
+
+**Browser/AllowBrowser**
+
Specifies whether cookies are allowed.
@@ -2271,6 +2294,10 @@ ADMX Info:
+
+
+**Browser/AllowDeveloperTools**
+
Specifies whether Do Not Track headers are allowed.
@@ -2364,6 +2387,10 @@ ADMX Info:
+
+
+**Browser/AllowExtensions**
+
Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
@@ -2403,6 +2426,10 @@ ADMX Info:
+
+
+**Browser/AllowFlash**
+
Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
@@ -2442,6 +2465,10 @@ ADMX Info:
+
+
+**Browser/AllowFlashClickToRun**
+
Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
@@ -2481,6 +2504,10 @@ ADMX Info:
+
+
+**Browser/AllowInPrivate**
+
Specifies whether InPrivate browsing is allowed on corporate networks.
@@ -2522,29 +2545,6 @@ ADMX Info:
-
- Specifies whether saving and managing passwords locally on the device is allowed.
@@ -2591,6 +2614,10 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
+
+**Browser/AllowPopups**
+
Specifies whether pop-up blocker is allowed or enabled.
@@ -2639,29 +2662,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
-
- Specifies whether search suggestions are allowed in the address bar.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
Specifies whether search suggestions are allowed in the address bar.
+
+ The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+ Most restricted value is 0.
+
+
+
+
+
**Browser/AllowSmartScreen**
+
+ Specifies whether Windows Defender SmartScreen is allowed.
@@ -2748,29 +2771,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
-
- Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
@@ -3026,29 +3049,6 @@ Employees cannot remove these search engines, but they can set any one as the de
-
- Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
@@ -3103,6 +3126,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Browser/PreventSmartScreenPromptOverrideForFiles**
+
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
@@ -3142,6 +3165,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Browser/PreventUsingLocalHostIPAddressForWebRTC**
+
Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
-
- The following list shows the supported values:
-
-- 0 (default) – Interstitial pages are not shown.
-- 1 – Interstitial pages are shown.
-
- Most restricted value is 0.
-
-
-
-
-
Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List.
+
+ The following list shows the supported values:
+
+- 0 (default) – Interstitial pages are not shown.
+- 1 – Interstitial pages are shown.
+
+ Most restricted value is 0.
+
+
+
+
+
**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**
+
+ Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
@@ -3352,47 +3375,10 @@ Employees cannot remove these search engines, but they can set any one as the de
-
- Disables or enables the camera.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
Disables or enables the camera.
+
+ The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+ Most restricted value is 0.
+
+
+
+
+
**Connectivity/AllowBluetooth**
+
+ Allows the user to enable Bluetooth or restrict access.
@@ -3441,6 +3464,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Connectivity/AllowCellularData**
+
Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
@@ -3481,6 +3504,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Connectivity/AllowCellularDataRoaming**
+
Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
@@ -3531,6 +3554,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Connectivity/AllowConnectedDevices**
+
Specifies what type of underlying connections VPN is allowed to use.
@@ -3706,6 +3729,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Connectivity/AllowVPNRoamingOverCellular**
+
Prevents the device from connecting to VPN when the device roams over cellular networks.
@@ -3747,29 +3770,6 @@ Employees cannot remove these search engines, but they can set any one as the de
-
- Allows or disallows the Federal Information Processing Standard (FIPS) policy.
@@ -3905,6 +3928,10 @@ ADMX Info:
+
+
+**Cryptography/TLSCipherSuites**
+
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
@@ -3939,6 +3962,10 @@ ADMX Info:
+
+
+**DataProtection/AllowDirectMemoryAccess**
+
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
@@ -3980,6 +4003,10 @@ ADMX Info:
+
+
+**DataProtection/LegacySelectiveWipeID**
+
Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
+
+ The default value is 0 (FALSE).
+
+
+
+
+
+
+
+**DeliveryOptimization/DODownloadMode**
+
Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
-
- The default value is 0 (FALSE).
-
-
-
-
-
-
- Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
-
- By default, %SystemDrive% is used to store the cache.
-
-
-
-
-
Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
+
+ By default, %SystemDrive% is used to store the cache.
+
+
+
+
+
**DeliveryOptimization/DOMonthlyUploadDataCap**
+
+ Specifies whether the user must input a PIN or password when the device resumes from an idle state.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
Specifies whether the user must input a PIN or password when the device resumes from an idle state.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+ The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+
**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
+
+ Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
@@ -6137,6 +6160,10 @@ ADMX Info:
+
+
+**DeviceLock/AlphanumericDevicePasswordRequired**
+
Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
@@ -6189,6 +6212,10 @@ ADMX Info:
+
+
+**DeviceLock/DevicePasswordEnabled**
+
Specifies whether device lock is enabled.
@@ -6268,6 +6291,10 @@ ADMX Info:
+
+
+**DeviceLock/DevicePasswordExpiration**
+
Specifies when the password expires (in days).
@@ -6315,6 +6338,10 @@ ADMX Info:
+
+
+**DeviceLock/DevicePasswordHistory**
+
Specifies how many passwords can be stored in the history that can’t be used.
@@ -6364,6 +6387,10 @@ ADMX Info:
+
+
+**DeviceLock/EnforceLockScreenAndLogonImage**
+
Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
@@ -6404,6 +6427,10 @@ ADMX Info:
+
+
+**DeviceLock/EnforceLockScreenProvider**
+
Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
@@ -6444,6 +6467,10 @@ ADMX Info:
+
+
+**DeviceLock/MaxDevicePasswordFailedAttempts**
+
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
@@ -6543,6 +6566,53 @@ The number of authentication failures allowed before the device will be wiped. A
+
+
+**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**
+
+
+ Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
+
+> [!NOTE]
+> This policy must be wrapped in an Atomic command.
+
+
+ The following list shows the supported values:
+
+- An integer X where 0 <= X <= 999.
+- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
+
+
+
+
+
+
+
+**DeviceLock/MinDevicePasswordComplexCharacters**
+
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
-
-> [!NOTE]
-> This policy must be wrapped in an Atomic command.
-
-
- The following list shows the supported values:
-
-- An integer X where 0 <= X <= 999.
-- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
-
-
-
-
-
-
- The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
@@ -6691,6 +6714,10 @@ The number of authentication failures allowed before the device will be wiped. A
+
+
+**DeviceLock/MinDevicePasswordLength**
+
Specifies the minimum number or characters required in the PIN or password.
@@ -6741,29 +6764,6 @@ The number of authentication failures allowed before the device will be wiped. A
-
- Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
-
- Minimum supported value is 10.
-
- Maximum supported value is 1800.
-
- The default value is 10.
-
- Most restricted value is 0.
-
-
-
-
-
Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices.
+
+ Minimum supported value is 10.
+
+ Maximum supported value is 1800.
+
+ The default value is 10.
+
+ Most restricted value is 0.
+
+
+
+
+
**Display/TurnOffGdiDPIScalingForApps**
+
+ GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
@@ -6855,6 +6878,10 @@ ADMX Info:
+
+
+**Display/TurnOnGdiDPIScalingForApps**
+
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
@@ -6902,6 +6925,10 @@ ADMX Info:
+
+
+**EnterpriseCloudPrint/CloudPrintOAuthAuthority**
+
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
@@ -6940,6 +6963,10 @@ ADMX Info:
+
+
+**EnterpriseCloudPrint/CloudPrintOAuthClientId**
+
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
@@ -6978,6 +7001,10 @@ ADMX Info:
+
+
+**EnterpriseCloudPrint/CloudPrintResourceId**
+
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
@@ -7016,6 +7039,10 @@ ADMX Info:
+
+
+**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**
+
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
@@ -7054,6 +7077,10 @@ ADMX Info:
+
+
+**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**
+
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
@@ -7092,6 +7115,10 @@ ADMX Info:
+
+
+**EnterpriseCloudPrint/MopriaDiscoveryResourceId**
+
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
@@ -7130,29 +7153,6 @@ ADMX Info:
-
- Specifies whether copy and paste is allowed.
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
Specifies whether copy and paste is allowed.
+
+ The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+ Most restricted value is 0.
+
+
+
+
+
**Experience/AllowCortana**
+
+ Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
@@ -7437,6 +7460,10 @@ ADMX Info:
+
+
+**Experience/AllowDeviceDiscovery**
+
Allows users to turn on/off device discovery UX.
@@ -7480,29 +7503,6 @@ ADMX Info:
-
- Specifies whether to allow the user to delete the workplace account using the workplace control panel.
@@ -7540,6 +7563,10 @@ ADMX Info:
+
+
+**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
+
Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
@@ -7667,29 +7690,6 @@ ADMX Info:
-
- The following list shows the supported values:
-
-- 0 – Disabled.
-- 1 (default) – Enabled.
-
-
-
-
-
The following list shows the supported values:
+
+- 0 – Disabled.
+- 1 (default) – Enabled.
+
+
+
+
+
**Experience/ConfigureWindowsSpotlightOnLockScreen**
+
+ Prevents devices from showing feedback questions from Microsoft.
@@ -8089,29 +8112,6 @@ Enables or disables Windows Tips / soft landing.
-
- Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
@@ -11940,6 +11963,10 @@ ADMX Info:
+
+
+**Licensing/DisallowKMSClientOnlineAVSValidation**
+
Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
@@ -11979,6 +12002,10 @@ ADMX Info:
+
+
+**Location/EnableLocation**
+
Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
@@ -12026,47 +12049,10 @@ ADMX Info:
-
- Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
-
- The following list shows the supported values:
-
-- 0 - disallow edge swipe.
-- 1 (default, not configured) - allow edge swipe.
-
- The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
-
-
-
-
-
Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
+
+ The following list shows the supported values:
+
+- 0 - disallow edge swipe.
+- 1 (default, not configured) - allow edge swipe.
+
+ The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled.
+
+
+
+
+
**Maps/AllowOfflineMapsDownloadOverMeteredConnection**
+
+ Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
@@ -12109,6 +12132,10 @@ ADMX Info:
+
+
+**Maps/EnableOfflineMapsAutoUpdate**
+
Added in Windows 10, version 1607. Disables the automatic download and update of map data.
@@ -12151,29 +12174,6 @@ ADMX Info:
-
- Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
-
- The following list shows the supported values:
-
-- 0 - message sync is not allowed and cannot be changed by the user.
-- 1 - message sync is allowed. The user can change this setting.
-
-
-
-
-
Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
+
+ The following list shows the supported values:
+
+- 0 - message sync is not allowed and cannot be changed by the user.
+- 1 - message sync is allowed. The user can change this setting.
+
+
+
+
+
**Messaging/AllowRCS**
@@ -12255,13 +12255,6 @@ ADMX Info:
**NetworkIsolation/EnterpriseCloudResources**
-
- Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
-
-
-
-
-
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
+
+
+
+
+
**NetworkIsolation/EnterpriseIPRange**
+
+ Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
@@ -12305,6 +12328,10 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**
+
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
@@ -12339,6 +12362,10 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+**NetworkIsolation/EnterpriseInternalProxyServers**
+
This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
@@ -12373,6 +12396,10 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+**NetworkIsolation/EnterpriseNetworkDomainNames**
+
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
@@ -12417,6 +12440,10 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+**NetworkIsolation/EnterpriseProxyServers**
+
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
@@ -12451,6 +12474,10 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**
+
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
@@ -12485,6 +12508,10 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+**NetworkIsolation/NeutralResources**
+
List of domain names that can used for work or personal resource.
@@ -12519,6 +12542,10 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
+
+**Notifications/DisallowNotificationMirroring**
+
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
@@ -12562,29 +12585,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
- Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
-
- The following list shows the supported values:
-
-- 0 (default)– Not allowed.
-- 1 – Allowed.
-
- Most restricted value is 0.
-
-
-
-
-
Updated in the next major update of Windows 10. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
+ Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 (default)– Not allowed.
+- 1 – Allowed.
Most restricted value is 0.
-
+
+
+
+**Privacy/AllowInputPersonalization**
+
Updated in the next major update of Windows 10. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
+
+ The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+ Most restricted value is 0.
+
+
+
+
+
**Privacy/DisableAdvertisingId**
+
+ Added in Windows 10, version 1607. Enables or disables the Advertising ID.
@@ -12845,6 +12868,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessAccountInfo**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
@@ -12887,6 +12910,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -12921,6 +12944,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -12955,6 +12978,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
@@ -12989,6 +13012,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCalendar**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
@@ -13031,6 +13054,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -13065,6 +13088,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -13099,6 +13122,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
@@ -13133,6 +13156,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCallHistory**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
@@ -13175,6 +13198,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -13209,6 +13232,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -13243,6 +13266,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
@@ -13277,6 +13300,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCamera**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
@@ -13319,6 +13342,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -13353,6 +13376,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -13387,6 +13410,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
@@ -13421,6 +13444,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessContacts**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
@@ -13463,6 +13486,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -13497,6 +13520,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -13531,6 +13554,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
@@ -13565,6 +13588,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessEmail**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
@@ -13607,6 +13630,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -13641,6 +13664,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -13675,6 +13698,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
@@ -13709,6 +13732,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessLocation**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
@@ -13751,6 +13774,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -13785,6 +13808,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -13819,6 +13842,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
@@ -13853,6 +13876,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMessaging**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
@@ -13895,6 +13918,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -13929,6 +13952,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -13963,6 +13986,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
@@ -13997,6 +14020,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMicrophone**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
@@ -14039,6 +14062,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -14073,6 +14096,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -14107,6 +14130,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
@@ -14141,6 +14164,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMotion**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
@@ -14183,6 +14206,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -14217,6 +14240,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -14251,6 +14274,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
@@ -14285,6 +14308,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessNotifications**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
@@ -14327,6 +14350,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -14361,6 +14384,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -14395,6 +14418,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
@@ -14429,6 +14452,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessPhone**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
@@ -14471,6 +14494,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -14505,6 +14528,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -14539,6 +14562,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
@@ -14573,6 +14596,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessRadios**
+
Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
@@ -14615,6 +14638,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -14649,6 +14672,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -14683,6 +14706,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
@@ -14717,6 +14740,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessTasks**
+
Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
@@ -14751,6 +14774,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -14785,6 +14808,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -14819,6 +14842,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
@@ -14853,6 +14876,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessTrustedDevices**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
@@ -14895,6 +14918,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -14929,6 +14952,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -14963,6 +14986,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
@@ -14997,6 +15020,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsGetDiagnosticInfo**
+
Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
@@ -15039,6 +15062,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -15073,6 +15096,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -15107,6 +15130,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
@@ -15141,6 +15164,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsRunInBackground**
+
Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
@@ -15185,6 +15208,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -15219,6 +15242,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -15253,6 +15276,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
@@ -15287,6 +15310,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsSyncWithDevices**
+
Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
@@ -15329,6 +15352,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -15363,6 +15386,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -15397,6 +15420,10 @@ ADMX Info:
+
+
+**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
@@ -15431,29 +15454,6 @@ ADMX Info:
-
- Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
@@ -15842,6 +15865,10 @@ ADMX Info:
+
+
+**Search/AllowSearchToUseLocation**
+
Specifies whether search can leverage location information.
@@ -15883,6 +15906,10 @@ ADMX Info:
+
+
+**Search/AllowUsingDiacritics**
+
Allows the use of diacritics.
@@ -15924,6 +15947,10 @@ ADMX Info:
+
+
+**Search/AlwaysUseAutoLangDetection**
+
Specifies whether to always use automatic language detection when indexing content and properties.
@@ -15965,6 +15988,10 @@ ADMX Info:
+
+
+**Search/DisableBackoff**
+
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
@@ -16004,6 +16027,10 @@ ADMX Info:
+
+
+**Search/DisableRemovableDriveIndexing**
+
This policy setting configures whether or not locations on removable drives can be added to libraries.
@@ -16047,6 +16070,10 @@ ADMX Info:
+
+
+**Search/PreventIndexingLowDiskSpaceMB**
+
Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB.
@@ -16090,6 +16113,10 @@ ADMX Info:
+
+
+**Search/PreventRemoteQueries**
+
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
@@ -16129,6 +16152,10 @@ ADMX Info:
+
+
+**Search/SafeSearchPermissions**
+
Specifies whether to allow the runtime configuration agent to install provisioning packages.
@@ -16213,6 +16236,10 @@ ADMX Info:
+
+
+**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
+
Specifies whether to allow the runtime configuration agent to remove provisioning packages.
@@ -16345,6 +16368,10 @@ ADMX Info:
+
+
+**Security/AntiTheftMode**
+
Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
@@ -16520,6 +16543,10 @@ ADMX Info:
+
+
+**Security/RequireRetrieveHealthCertificateOnBoot**
+
Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
@@ -16570,6 +16593,10 @@ ADMX Info:
+
+
+**Settings/AllowAutoPlay**
+
Allows the user to change Data Sense settings.
@@ -16656,6 +16679,10 @@ ADMX Info:
+
+
+**Settings/AllowDateTime**
+
Allows the user to change date and time settings.
@@ -16695,6 +16718,10 @@ ADMX Info:
+
+
+**Settings/AllowEditDeviceName**
+
Allows editing of the device name.
@@ -16734,6 +16757,10 @@ ADMX Info:
+
+
+**Settings/AllowLanguage**
+
Allows the user to change VPN settings.
@@ -16945,6 +16968,10 @@ ADMX Info:
+
+
+**Settings/AllowWorkplace**
+
Allows user to change account settings.
@@ -17027,6 +17050,10 @@ ADMX Info:
+
+
+**Settings/ConfigureTaskbarCalendar**
+
Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
@@ -17068,6 +17091,10 @@ ADMX Info:
+
+
+**Settings/PageVisibilityList**
+
Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
@@ -17132,6 +17155,10 @@ ADMX Info:
+
+
+**SmartScreen/EnableAppInstallControl**
+
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
@@ -17171,6 +17194,10 @@ ADMX Info:
+
+
+**SmartScreen/EnableSmartScreenInShell**
+
Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
@@ -17210,6 +17233,10 @@ ADMX Info:
+
+
+**SmartScreen/PreventOverrideForFilesInShell**
+
Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
@@ -17249,45 +17272,10 @@ ADMX Info:
-
- Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
-
- The following list shows the supported values:
-
-- 0 – Not allowed.
-- 1 (default) – Allowed.
-
-
-
-
-
Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
+
+ The following list shows the supported values:
+
+- 0 – Not allowed.
+- 1 (default) – Allowed.
+
+
+
+
+
**Start/ForceStartSize**
+
+ Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
-
- This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic.
-
-
-
-
-
Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy
+
+ This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic.
+
+
+
+
+
**Storage/EnhancedStorageDevices**
@@ -17815,6 +17815,29 @@ ADMX Info:
**System/AllowBuildPreview**
+
+ Specifies whether set general purpose device to be in embedded mode.
@@ -17875,6 +17898,10 @@ ADMX Info:
+
+
+**System/AllowExperimentation**
+
Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
@@ -17970,6 +17993,10 @@ ADMX Info:
+
+
+**System/AllowLocation**
+
Specifies whether to allow app access to the Location service.
@@ -18018,6 +18041,10 @@ ADMX Info:
+
+
+**System/AllowStorageCard**
+
Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
@@ -18059,6 +18082,10 @@ ADMX Info:
+
+
+**System/AllowTelemetry**
+
Allow the device to send diagnostic and usage telemetry data, such as Watson.
@@ -18155,6 +18178,10 @@ ADMX Info:
+
+
+**System/AllowUserToResetPhone**
+
Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
@@ -18196,29 +18219,6 @@ ADMX Info:
-
- Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
@@ -18267,29 +18290,6 @@ ADMX Info:
-
- Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
-
- If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
-
-
-
-
-
Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
+
+ If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration.
+
+
+
+
+
**TextInput/AllowIMELogging**
+
+ Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
-
-> [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
-
- Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
- The default is 17 (5 PM).
-
-
-
-
-
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+
+> [!NOTE]
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
+
+ Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+
+ The default is 17 (5 PM).
+
+
+
+
+
**Update/ActiveHoursMaxRange**
@@ -18988,24 +18988,6 @@ ADMX Info:
**Update/ActiveHoursStart**
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
- Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
-
-> [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
-
- Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
-
- The default value is 8 (8 AM).
-
-
-
-
-
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+
+> [!NOTE]
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
+
+ Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+
+ The default value is 8 (8 AM).
+
+
+
+
+
**Update/AllowAutoUpdate**
+
+ Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
@@ -19552,29 +19575,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
- Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-
- The following list shows the supported values:
-
-- 0 (default) – Allow Windows Update drivers.
-- 1 – Exclude Windows Update drivers.
-
-
-
-
-
-
Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
-
> [!NOTE]
-> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
+> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
+
+ Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
The following list shows the supported values:
-- 0 (default) – Disabled.
-- 1 – Enabled.
+- 0 (default) – Allow Windows Update drivers.
+- 1 – Exclude Windows Update drivers.
+
+
+
+**Update/FillEmptyContentUrls**
+
Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
+
+> [!NOTE]
+> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server.
+
+ The following list shows the supported values:
+
+- 0 (default) – Disabled.
+- 1 – Enabled.
+
+
+
+
+
**Update/IgnoreMOAppDownloadLimit**
+
+ Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
@@ -19748,6 +19771,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/IgnoreMOUpdateDownloadLimit**
+
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
@@ -19799,6 +19822,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/PauseDeferrals**
+
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
@@ -19928,6 +19951,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/PauseQualityUpdates**
+
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
@@ -20006,6 +20029,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/RequireDeferUpgrade**
+
Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
-
- The following list shows the supported values:
-
-- 0 - not configured
-- 1 - configured
-
-
-
-
-
Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
+
+ The following list shows the supported values:
+
+- 0 - not configured
+- 1 - configured
+
+
+
+
+
**Update/UpdateServiceUrl**
+
+ Allow or disallow the device to automatically connect to Wi-Fi hotspots.
@@ -20461,6 +20484,10 @@ Example
+
+
+**Wifi/AllowInternetSharing**
+
Allow or disallow internet sharing.
@@ -20502,6 +20525,10 @@ Example
+
+
+**Wifi/AllowManualWiFiConfiguration**
+
Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
@@ -20547,6 +20570,10 @@ Example
+
+
+**Wifi/AllowWiFi**
+
Allow or disallow WiFi connection.
@@ -20588,6 +20611,47 @@ Example
+
+
+**Wifi/AllowWiFiDirect**
+
+
+ Added in Windows 10, version 1703. Allow WiFi Direct connection..
+
+- 0 - WiFi Direct connection is not allowed.
+- 1 - WiFi Direct connection is allowed.
+
+
+
+
+
+
+
+**Wifi/WLANScanMode**
+
Added in Windows 10, version 1703. Allow WiFi Direct connection..
-
-- 0 - WiFi Direct connection is not allowed.
-- 1 - WiFi Direct connection is allowed.
-
-
-
-
-
-
- Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
@@ -20665,6 +20688,10 @@ Example
+
+
+**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
+
Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace.
@@ -20704,6 +20727,10 @@ Example
+
+
+**WindowsInkWorkspace/AllowWindowsInkWorkspace**
+
Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
@@ -20744,29 +20767,6 @@ Example
-
- Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
@@ -20832,6 +20855,84 @@ ADMX Info:
+
+
+**WirelessDisplay/AllowProjectionFromPC**
+
+
+ Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
+
+- 0 - your PC cannot discover or project to other devices.
+- 1 - your PC can discover and project to other devices
+
+
+
+
+
+
+
+**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**
+
+
+ Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
+
+- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct.
+- 1 - your PC can discover and project to other devices over infrastructure.
+
+
+
+
+
+
+
+**WirelessDisplay/AllowProjectionToPC**
+
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC.
-
-- 0 - your PC cannot discover or project to other devices.
-- 1 - your PC can discover and project to other devices
-
-
-
-
-
-
- Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
-
-- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct.
-- 1 - your PC can discover and project to other devices over infrastructure.
-
-
-
-
-
-
- Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC.
@@ -20947,6 +20970,10 @@ ADMX Info:
+
+
+**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
+
Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
@@ -20984,29 +21007,6 @@ ADMX Info:
-
- Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
@@ -21058,33 +21058,102 @@ ADMX Info:
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy has been deprecated in Windows 10, version 1607
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!IMPORTANT]
-> This node is set on a per-user basis and must be accessed using the following paths:
-> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
->
->
-> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths:
-> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is not supported in Windows 10, version 1607.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-
-Windows 8.1 Values
-
-
-
-
-
-
-
-
-
-
-
-> [!IMPORTANT]
-> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1.
-
-
-
-
-
-
-Windows 10 Values
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> The policy is only enforced in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-**Update/DeferUpgradePeriod**
-
-
-
-
-
-
-Update category
-Maximum deferral
-Deferral increment
-Update type/notes
-
-
-
-
-
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
->
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
->
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-> [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-> [!Important]
-> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-> **Note** This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-## Examples
-
-Set the minimum password length to 4 characters.
-
-``` syntax
-
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -135,6 +158,10 @@ The following diagram shows the Policy configuration service provider in tree fo
+
+
+**AboveLock/AllowCortanaAboveLock**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**AboveLock/AllowCortanaAboveLock**
-
@@ -148,20 +175,16 @@ The following diagram shows the Policy configuration service provider in tree fo
-
-
-
-**AboveLock/AllowToasts**
-
@@ -197,10 +224,6 @@ The following diagram shows the Policy configuration service provider in tree fo
-
-
-**Accounts/AllowAddingNonMicrosoftAccountsManually**
-
@@ -238,10 +265,6 @@ The following diagram shows the Policy configuration service provider in tree fo
-
-
-**Accounts/AllowMicrosoftAccountConnection**
-
@@ -282,10 +309,6 @@ The following diagram shows the Policy configuration service provider in tree fo
-
-
-**Accounts/AllowMicrosoftAccountSignInAssistant**
-
@@ -314,7 +341,7 @@ The following diagram shows the Policy configuration service provider in tree fo
+
-
-
-
**Accounts/DomainNamesForEmailSync**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
+
+
@@ -400,6 +389,17 @@ The following diagram shows the Policy configuration service provider in tree fo
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
-
-
-**ApplicationManagement/AllowAllTrustedApps**
-
@@ -1112,9 +1139,9 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
MobileEnterprise
-
-
-
-
**ApplicationManagement/AllowAppStoreAutoUpdate**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
@@ -1206,10 +1192,47 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**ApplicationManagement/AllowGameDVR**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -1269,6 +1292,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+**ApplicationManagement/AllowSharedUserAppData**
+
@@ -1242,16 +1269,12 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
-
-**ApplicationManagement/AllowSharedUserAppData**
-
@@ -1286,16 +1313,12 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
-
-**ApplicationManagement/AllowStore**
-
@@ -1323,20 +1350,16 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
-
-
-**ApplicationManagement/ApplicationRestrictions**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
@@ -1407,6 +1430,10 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
+
+
+**ApplicationManagement/DisableStoreOriginatedApps**
+
@@ -1374,10 +1401,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
-
-**ApplicationManagement/DisableStoreOriginatedApps**
-
@@ -1422,18 +1449,14 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
-
-
-**ApplicationManagement/RequirePrivateStoreOnly**
-
@@ -1463,16 +1490,12 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
-
-**ApplicationManagement/RestrictAppDataToSystemVolume**
-
@@ -1509,7 +1536,7 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
-
-**ApplicationManagement/RestrictAppToSystemVolume**
-
@@ -1560,10 +1587,6 @@ PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25z
-
-
-
**AttachmentManager/DoNotPreserveZoneInformation**
@@ -1677,6 +1677,29 @@ ADMX Info:
**Authentication/AllowEAPCertSSO**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -1700,6 +1723,10 @@ ADMX Info:
+
+
+**Authentication/AllowFastReconnect**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Authentication/AllowFastReconnect**
-
@@ -1712,21 +1739,17 @@ ADMX Info:
MobileEnterprise
-
-
-
-**Authentication/AllowSecondaryAuthenticationDevice**
-
@@ -1764,10 +1791,6 @@ ADMX Info:
-
-
-
**Autoplay/DisallowAutoplayForNonVolumeDevices**
@@ -1894,20 +1894,6 @@ ADMX Info:
**Bitlocker/EncryptionMethod**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
@@ -1931,10 +1917,47 @@ ADMX Info:
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Bluetooth/AllowDiscoverableMode**
-
@@ -1974,10 +2001,6 @@ ADMX Info:
-
-
-**Bluetooth/AllowPrepairing**
-
@@ -2017,10 +2044,6 @@ ADMX Info:
-
-
-**Bluetooth/LocalDeviceName**
-
@@ -2056,10 +2083,6 @@ ADMX Info:
-
-
-**Bluetooth/ServicesAllowedList**
-
@@ -2094,10 +2121,6 @@ ADMX Info:
-
-
-
**Browser/AllowAddressBarDropdown**
@@ -2155,6 +2155,29 @@ ADMX Info:
**Browser/AllowAutofill**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Browser/AllowBrowser**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
@@ -2223,6 +2246,10 @@ ADMX Info:
+
+
+**Browser/AllowCookies**
+
@@ -2189,20 +2216,16 @@ ADMX Info:
-
-
-
-**Browser/AllowCookies**
-
@@ -2236,20 +2263,16 @@ ADMX Info:
-
-
-
-**Browser/AllowDeveloperTools**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -2316,6 +2339,10 @@ ADMX Info:
+
+
+**Browser/AllowDoNotTrack**
+
@@ -2288,16 +2315,12 @@ ADMX Info:
-
-
-**Browser/AllowDoNotTrack**
-
@@ -2333,16 +2360,12 @@ ADMX Info:
-
-
-**Browser/AllowExtensions**
-
@@ -2381,16 +2408,12 @@ ADMX Info:
-
-
-**Browser/AllowFlash**
-
@@ -2426,10 +2453,6 @@ ADMX Info:
-
-
-**Browser/AllowFlashClickToRun**
-
@@ -2465,10 +2492,6 @@ ADMX Info:
-
-
-**Browser/AllowInPrivate**
-
@@ -2493,21 +2520,17 @@ ADMX Info:
MobileEnterprise
-
-
-
-
**Browser/AllowMicrosoftCompatibilityList**
@@ -2570,6 +2570,29 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
**Browser/AllowPasswordManager**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Browser/AllowPopups**
-
@@ -2608,16 +2635,12 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
-
-
-
**Browser/AllowSearchEngineCustomization**
@@ -2686,20 +2686,6 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
**Browser/AllowSearchSuggestionsinAddressBar**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
@@ -2723,10 +2709,47 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-
**Browser/ClearBrowsingDataOnExit**
@@ -2849,6 +2849,29 @@ Employees cannot remove these search engines, but they can set any one as the de
**Browser/EnterpriseModeSiteList**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -2865,6 +2888,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Browser/EnterpriseSiteListServiceUrl**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Browser/EnterpriseSiteListServiceUrl**
-
> [!IMPORTANT]
> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
@@ -2900,6 +2923,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Browser/FirstRunURL**
+
@@ -2888,10 +2915,6 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-**Browser/FirstRunURL**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -2942,6 +2965,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Browser/HomePages**
+
@@ -2912,21 +2939,17 @@ Employees cannot remove these search engines, but they can set any one as the de
MobileEnterprise
-
-
-
-
-**Browser/HomePages**
-
> [!NOTE]
> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -2987,6 +3010,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**
+
@@ -2954,21 +2981,17 @@ Employees cannot remove these search engines, but they can set any one as the de
MobileEnterprise
-
-
-
-
-**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**
-
@@ -3010,10 +3037,6 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-
**Browser/PreventFirstRunPage**
@@ -3089,6 +3089,29 @@ Employees cannot remove these search engines, but they can set any one as the de
**Browser/PreventSmartScreenPromptOverride**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Browser/PreventSmartScreenPromptOverrideForFiles**
-
@@ -3126,10 +3153,6 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-**Browser/PreventUsingLocalHostIPAddressForWebRTC**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -3185,6 +3208,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Browser/SendIntranetTraffictoInternetExplorer**
+
@@ -3159,16 +3186,12 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-**Browser/SendIntranetTraffictoInternetExplorer**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -3230,29 +3253,6 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
@@ -3197,7 +3224,7 @@ Employees cannot remove these search engines, but they can set any one as the de
MobileEnterprise
-
-
-
-
**Browser/SetDefaultSearchEngine**
@@ -3282,24 +3282,6 @@ Employees cannot remove these search engines, but they can set any one as the de
**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+
@@ -3323,10 +3305,51 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
-
-
-
**Camera/AllowCamera**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
+
+
@@ -3416,10 +3402,47 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Connectivity/AllowCellularData**
-
@@ -3454,20 +3481,16 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-
-**Connectivity/AllowCellularDataRoaming**
-
@@ -3494,20 +3521,16 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-
-**Connectivity/AllowConnectedDevices**
-
> [!NOTE]
> This policy requires reboot to take effect.
@@ -3573,6 +3596,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Connectivity/AllowNFC**
+
@@ -3543,9 +3570,9 @@ Employees cannot remove these search engines, but they can set any one as the de
MobileEnterprise
-
+
-
-
-**Connectivity/AllowNFC**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -3618,6 +3641,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Connectivity/AllowUSBConnection**
+
@@ -3585,21 +3612,17 @@ Employees cannot remove these search engines, but they can set any one as the de
MobileEnterprise
-
+
-
-
-**Connectivity/AllowUSBConnection**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -3665,6 +3688,10 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+
+**Connectivity/AllowVPNOverCellular**
+
@@ -3641,10 +3668,6 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-**Connectivity/AllowVPNOverCellular**
-
@@ -3678,20 +3705,16 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-
-**Connectivity/AllowVPNRoamingOverCellular**
-
@@ -3729,10 +3756,6 @@ Employees cannot remove these search engines, but they can set any one as the de
-
-
-
**Connectivity/HardenedUNCPaths**
@@ -3893,6 +3893,29 @@ ADMX Info:
**Cryptography/AllowFipsAlgorithmPolicy**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Cryptography/TLSCipherSuites**
-
@@ -3928,10 +3955,6 @@ ADMX Info:
-
-
-**DataProtection/AllowDirectMemoryAccess**
-
@@ -3962,10 +3989,6 @@ ADMX Info:
-
-
-**DataProtection/LegacySelectiveWipeID**
-
> [!IMPORTANT]
> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
@@ -4022,29 +4045,6 @@ ADMX Info:
-
-
@@ -3992,21 +4019,17 @@ ADMX Info:
MobileEnterprise
-
-
-
-
**DataUsage/SetCost3G**
@@ -4107,6 +4107,29 @@ ADMX Info:
**Defender/AllowArchiveScanning**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4123,6 +4146,10 @@ ADMX Info:
+
+
+**Defender/AllowBehaviorMonitoring**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Defender/AllowBehaviorMonitoring**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4166,6 +4189,10 @@ ADMX Info:
+
+
+**Defender/AllowCloudProtection**
+
@@ -4146,10 +4173,6 @@ ADMX Info:
-
-
-**Defender/AllowCloudProtection**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4209,6 +4232,10 @@ ADMX Info:
+
+
+**Defender/AllowEmailScanning**
+
@@ -4189,10 +4216,6 @@ ADMX Info:
-
-
-**Defender/AllowEmailScanning**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4252,6 +4275,10 @@ ADMX Info:
+
+
+**Defender/AllowFullScanOnMappedNetworkDrives**
+
@@ -4232,10 +4259,6 @@ ADMX Info:
-
-
-**Defender/AllowFullScanOnMappedNetworkDrives**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4295,6 +4318,10 @@ ADMX Info:
+
+
+**Defender/AllowFullScanRemovableDriveScanning**
+
@@ -4275,10 +4302,6 @@ ADMX Info:
-
-
-**Defender/AllowFullScanRemovableDriveScanning**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4338,6 +4361,10 @@ ADMX Info:
+
+
+**Defender/AllowIOAVProtection**
+
@@ -4318,10 +4345,6 @@ ADMX Info:
-
-
-**Defender/AllowIOAVProtection**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4381,6 +4404,10 @@ ADMX Info:
+
+
+**Defender/AllowIntrusionPreventionSystem**
+
@@ -4361,10 +4388,6 @@ ADMX Info:
-
-
-**Defender/AllowIntrusionPreventionSystem**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4424,6 +4447,10 @@ ADMX Info:
+
+
+**Defender/AllowOnAccessProtection**
+
@@ -4404,10 +4431,6 @@ ADMX Info:
-
-
-**Defender/AllowOnAccessProtection**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4467,6 +4490,10 @@ ADMX Info:
+
+
+**Defender/AllowRealtimeMonitoring**
+
@@ -4447,10 +4474,6 @@ ADMX Info:
-
-
-**Defender/AllowRealtimeMonitoring**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4510,6 +4533,10 @@ ADMX Info:
+
+
+**Defender/AllowScanningNetworkFiles**
+
@@ -4490,10 +4517,6 @@ ADMX Info:
-
-
-**Defender/AllowScanningNetworkFiles**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4553,6 +4576,10 @@ ADMX Info:
+
+
+**Defender/AllowScriptScanning**
+
@@ -4533,10 +4560,6 @@ ADMX Info:
-
-
-**Defender/AllowScriptScanning**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4596,6 +4619,10 @@ ADMX Info:
+
+
+**Defender/AllowUserUIAccess**
+
@@ -4576,10 +4603,6 @@ ADMX Info:
-
-
-**Defender/AllowUserUIAccess**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4639,6 +4662,10 @@ ADMX Info:
+
+
+**Defender/AvgCPULoadFactor**
+
@@ -4619,10 +4646,6 @@ ADMX Info:
-
-
-**Defender/AvgCPULoadFactor**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4681,6 +4704,10 @@ ADMX Info:
+
+
+**Defender/DaysToRetainCleanedMalware**
+
@@ -4662,10 +4689,6 @@ ADMX Info:
-
-
-**Defender/DaysToRetainCleanedMalware**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4723,6 +4746,10 @@ ADMX Info:
+
+
+**Defender/ExcludedExtensions**
+
@@ -4704,10 +4731,6 @@ ADMX Info:
-
-
-**Defender/ExcludedExtensions**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4761,6 +4784,10 @@ ADMX Info:
+
+
+**Defender/ExcludedPaths**
+
@@ -4746,10 +4773,6 @@ ADMX Info:
-
-
-**Defender/ExcludedPaths**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4799,6 +4822,10 @@ ADMX Info:
+
+
+**Defender/ExcludedProcesses**
+
@@ -4784,10 +4811,6 @@ ADMX Info:
-
-
-**Defender/ExcludedProcesses**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4843,6 +4866,10 @@ ADMX Info:
+
+
+**Defender/PUAProtection**
+
@@ -4822,10 +4849,6 @@ ADMX Info:
-
-
-**Defender/PUAProtection**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4887,6 +4910,10 @@ ADMX Info:
+
+
+**Defender/RealTimeScanDirection**
+
@@ -4866,10 +4893,6 @@ ADMX Info:
-
-
-**Defender/RealTimeScanDirection**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4935,6 +4958,10 @@ ADMX Info:
+
+
+**Defender/ScanParameter**
+
@@ -4910,10 +4937,6 @@ ADMX Info:
-
-
-**Defender/ScanParameter**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -4978,6 +5001,10 @@ ADMX Info:
+
+
+**Defender/ScheduleQuickScanTime**
+
@@ -4958,10 +4985,6 @@ ADMX Info:
-
-
-**Defender/ScheduleQuickScanTime**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -5026,6 +5049,10 @@ ADMX Info:
+
+
+**Defender/ScheduleScanDay**
+
@@ -5001,10 +5028,6 @@ ADMX Info:
-
-
-**Defender/ScheduleScanDay**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -5080,6 +5103,10 @@ ADMX Info:
+
+
+**Defender/ScheduleScanTime**
+
@@ -5049,10 +5076,6 @@ ADMX Info:
-
-
-**Defender/ScheduleScanTime**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -5128,6 +5151,10 @@ ADMX Info:
+
+
+**Defender/SignatureUpdateInterval**
+
@@ -5103,10 +5130,6 @@ ADMX Info:
-
-
-**Defender/SignatureUpdateInterval**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -5172,6 +5195,10 @@ ADMX Info:
+
+
+**Defender/SubmitSamplesConsent**
+
@@ -5151,10 +5178,6 @@ ADMX Info:
-
-
-**Defender/SubmitSamplesConsent**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -5217,6 +5240,10 @@ ADMX Info:
+
+
+**Defender/ThreatSeverityDefaultAction**
+
@@ -5195,10 +5222,6 @@ ADMX Info:
-
-
-**Defender/ThreatSeverityDefaultAction**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@@ -5273,6 +5296,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOAbsoluteMaxCacheSize**
+
@@ -5240,10 +5267,6 @@ ADMX Info:
-
-
-**DeliveryOptimization/DOAbsoluteMaxCacheSize**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5313,6 +5336,50 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOAllowVPNPeerCaching**
+
+
+
@@ -5285,7 +5312,7 @@ ADMX Info:
MobileEnterprise
-
+
+
+
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
-
-
-**DeliveryOptimization/DOAllowVPNPeerCaching**
-
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-
@@ -5336,50 +5403,6 @@ ADMX Info:
-
-
-
-
-
-**DeliveryOptimization/DODownloadMode**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5400,6 +5423,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOGroupId**
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-**DeliveryOptimization/DOGroupId**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5442,6 +5465,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOMaxCacheAge**
+
@@ -5423,10 +5450,6 @@ ADMX Info:
-
-
-**DeliveryOptimization/DOMaxCacheAge**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5482,6 +5505,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOMaxCacheSize**
+
@@ -5465,10 +5492,6 @@ ADMX Info:
-
-
-**DeliveryOptimization/DOMaxCacheSize**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5522,6 +5545,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOMaxDownloadBandwidth**
+
@@ -5505,10 +5532,6 @@ ADMX Info:
-
-
-**DeliveryOptimization/DOMaxDownloadBandwidth**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5562,6 +5585,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOMaxUploadBandwidth**
+
@@ -5545,10 +5572,6 @@ ADMX Info:
-
-
-**DeliveryOptimization/DOMaxUploadBandwidth**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5602,6 +5625,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOMinBackgroundQos**
+
@@ -5585,10 +5612,6 @@ ADMX Info:
-
-
-**DeliveryOptimization/DOMinBackgroundQos**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5642,6 +5665,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**
+
@@ -5625,10 +5652,6 @@ ADMX Info:
-
-
-**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5681,6 +5704,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**
+
@@ -5656,7 +5683,7 @@ ADMX Info:
+
-
-
-**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5725,6 +5748,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOMinFileSizeToCache**
+
@@ -5704,10 +5731,6 @@ ADMX Info:
-
-
-**DeliveryOptimization/DOMinFileSizeToCache**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5766,6 +5789,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOMinRAMAllowedToPeer**
+
@@ -5748,10 +5775,6 @@ ADMX Info:
-
-
-**DeliveryOptimization/DOMinRAMAllowedToPeer**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5806,46 +5829,10 @@ ADMX Info:
-
-
@@ -5789,10 +5816,6 @@ ADMX Info:
-
-
-
**DeliveryOptimization/DOModifyCacheDrive**
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
+
+
+
@@ -5869,10 +5856,46 @@ ADMX Info:
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5888,6 +5911,10 @@ ADMX Info:
+
+
+**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -5928,29 +5951,6 @@ ADMX Info:
-
-
@@ -5911,10 +5938,6 @@ ADMX Info:
-
-
-
**Desktop/PreventUserRedirectionOfProfileFolders**
@@ -6021,26 +6021,6 @@ ADMX Info:
**DeviceLock/AllowIdleReturnWithoutPassword**
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
+
@@ -6064,10 +6044,53 @@ ADMX Info:
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -6092,6 +6115,10 @@ ADMX Info:
+
+
+**DeviceLock/AllowSimpleDevicePassword**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**DeviceLock/AllowSimpleDevicePassword**
-
@@ -6104,21 +6131,17 @@ ADMX Info:
MobileEnterprise
-
-
-
-
-**DeviceLock/AlphanumericDevicePasswordRequired**
-
@@ -6160,10 +6187,6 @@ ADMX Info:
-
-
-**DeviceLock/DevicePasswordEnabled**
-
@@ -6212,10 +6239,6 @@ ADMX Info:
-
-
-**DeviceLock/DevicePasswordExpiration**
-
@@ -6291,10 +6318,6 @@ ADMX Info:
-
-
-**DeviceLock/DevicePasswordHistory**
-
@@ -6338,10 +6365,6 @@ ADMX Info:
-
-
-**DeviceLock/EnforceLockScreenAndLogonImage**
-
@@ -6376,21 +6403,17 @@ ADMX Info:
MobileEnterprise
-
-
-
-**DeviceLock/EnforceLockScreenProvider**
-
@@ -6419,18 +6446,14 @@ ADMX Info:
-
-
-
-**DeviceLock/MaxDevicePasswordFailedAttempts**
-
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
@@ -6498,6 +6521,10 @@ The number of authentication failures allowed before the device will be wiped. A
+
+
+**DeviceLock/MaxInactivityTimeDeviceLock**
+
@@ -6456,21 +6483,17 @@ ADMX Info:
MobileEnterprise
-
-
-
-
-**DeviceLock/MaxInactivityTimeDeviceLock**
-
@@ -6521,10 +6548,6 @@ The number of authentication failures allowed before the device will be wiped. A
+
+
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
-
-
-**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**
-
-
-
@@ -6566,53 +6636,6 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
-
-
-**DeviceLock/MinDevicePasswordComplexCharacters**
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-**DeviceLock/MinDevicePasswordLength**
-
@@ -6714,10 +6741,6 @@ The number of authentication failures allowed before the device will be wiped. A
-
-
-
**DeviceLock/PreventLockScreenSlideShow**
@@ -6790,24 +6790,6 @@ ADMX Info:
**DeviceLock/ScreenTimeoutWhileLocked**
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
@@ -6831,10 +6813,51 @@ ADMX Info:
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
-
-
-**Display/TurnOnGdiDPIScalingForApps**
-
@@ -6878,10 +6905,6 @@ ADMX Info:
-
-
-**EnterpriseCloudPrint/CloudPrintOAuthAuthority**
-
@@ -6919,16 +6946,12 @@ ADMX Info:
-
-
-**EnterpriseCloudPrint/CloudPrintOAuthClientId**
-
@@ -6963,10 +6990,6 @@ ADMX Info:
-
-
-**EnterpriseCloudPrint/CloudPrintResourceId**
-
@@ -7001,10 +7028,6 @@ ADMX Info:
-
-
-**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**
-
@@ -7039,10 +7066,6 @@ ADMX Info:
-
-
-**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**
-
@@ -7077,10 +7104,6 @@ ADMX Info:
-
-
-**EnterpriseCloudPrint/MopriaDiscoveryResourceId**
-
@@ -7115,10 +7142,6 @@ ADMX Info:
-
-
-
**ErrorReporting/CustomizeConsentSettings**
@@ -7371,23 +7371,6 @@ ADMX Info:
**Experience/AllowCopyPaste**
-
-> [!NOTE]
-> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
+
+
@@ -7411,10 +7394,50 @@ ADMX Info:
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Experience/AllowDeviceDiscovery**
-
@@ -7460,10 +7487,6 @@ ADMX Info:
-
-
-
**Experience/AllowFindMyDevice**
@@ -7522,6 +7522,29 @@ ADMX Info:
**Experience/AllowManualMDMUnenrollment**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -7583,6 +7606,10 @@ ADMX Info:
+
+
+**Experience/AllowScreenCapture**
+
@@ -7553,20 +7580,16 @@ ADMX Info:
-
-
-
-**Experience/AllowScreenCapture**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -7628,6 +7651,10 @@ ADMX Info:
+
+
+**Experience/AllowSyncMySettings**
+
@@ -7606,10 +7633,6 @@ ADMX Info:
-
-
-**Experience/AllowSyncMySettings**
-
@@ -7641,20 +7668,16 @@ ADMX Info:
-
-
-
-
**Experience/AllowTailoredExperiencesWithDiagnosticData**
@@ -7719,6 +7719,29 @@ ADMX Info:
**Experience/AllowTaskSwitcher**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -7735,6 +7758,10 @@ ADMX Info:
+
+
+**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
-
> [!NOTE]
> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
@@ -7778,6 +7801,10 @@ ADMX Info:
+
+
+**Experience/AllowVoiceRecording**
+
@@ -7748,20 +7775,16 @@ ADMX Info:
-
-
-
-**Experience/AllowVoiceRecording**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -7823,6 +7846,10 @@ ADMX Info:
+
+
+**Experience/AllowWindowsConsumerFeatures**
+
@@ -7791,20 +7818,16 @@ ADMX Info:
-
-
-
-**Experience/AllowWindowsConsumerFeatures**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -7875,6 +7898,10 @@ ADMX Info:
+
+
+**Experience/AllowWindowsSpotlight**
+
@@ -7836,20 +7863,16 @@ ADMX Info:
-
-
-
-**Experience/AllowWindowsSpotlight**
-
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
@@ -7920,29 +7943,6 @@ ADMX Info:
-
-
@@ -7888,7 +7915,7 @@ ADMX Info:
-
-
-
**Experience/AllowWindowsSpotlightOnActionCenter**
@@ -7990,18 +7990,6 @@ The Windows welcome experience feature introduces onboard users to Windows; for
**Experience/AllowWindowsTips**
-
-Enables or disables Windows Tips / soft landing.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+Enables or disables Windows Tips / soft landing.
+
+
@@ -8025,10 +8013,45 @@ Enables or disables Windows Tips / soft landing.
+
+
+
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
@@ -8046,6 +8069,10 @@ Enables or disables Windows Tips / soft landing.
+
+
+**Experience/DoNotShowFeedbackNotifications**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Experience/DoNotShowFeedbackNotifications**
-
@@ -8058,21 +8085,17 @@ Enables or disables Windows Tips / soft landing.
MobileEnterprise
-
-
-
-
**Games/AllowAdvancedGamingServices**
@@ -11928,6 +11928,29 @@ ADMX Info:
**Licensing/AllowWindowsEntitlementReactivation**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Licensing/DisallowKMSClientOnlineAVSValidation**
-
@@ -11963,10 +11990,6 @@ ADMX Info:
-
-
-**Location/EnableLocation**
-
@@ -11991,21 +12018,17 @@ ADMX Info:
MobileEnterprise
-
-
-
-
**LockDown/AllowEdgeSwipe**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
+
+
@@ -12090,10 +12076,47 @@ ADMX Info:
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Maps/EnableOfflineMapsAutoUpdate**
-
@@ -12132,10 +12159,6 @@ ADMX Info:
-
-
-
**Messaging/AllowMMS**
@@ -12197,18 +12197,6 @@ ADMX Info:
**Messaging/AllowMessageSync**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
@@ -12232,6 +12220,18 @@ ADMX Info:
+
+
@@ -12285,10 +12278,40 @@ ADMX Info:
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**
-
@@ -12328,10 +12355,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-
-**NetworkIsolation/EnterpriseInternalProxyServers**
-
@@ -12362,10 +12389,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-
-**NetworkIsolation/EnterpriseNetworkDomainNames**
-
@@ -12396,10 +12423,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-
-**NetworkIsolation/EnterpriseProxyServers**
-
@@ -12440,10 +12467,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-
-**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**
-
@@ -12474,10 +12501,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-
-**NetworkIsolation/NeutralResources**
-
@@ -12508,10 +12535,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-
-**Notifications/DisallowNotificationMirroring**
-
@@ -12542,10 +12569,6 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-
-
**Power/AllowStandbyWhenSleepingPluggedIn**
@@ -12748,20 +12748,6 @@ ADMX Info:
**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-**Privacy/AllowInputPersonalization**
-
-
@@ -12785,24 +12771,24 @@ ADMX Info:
+
+
@@ -12826,10 +12812,47 @@ ADMX Info:
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Privacy/LetAppsAccessAccountInfo**
-
@@ -12868,10 +12895,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**
-
@@ -12910,10 +12937,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**
-
@@ -12944,10 +12971,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**
-
@@ -12978,10 +13005,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCalendar**
-
@@ -13012,10 +13039,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**
-
@@ -13054,10 +13081,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**
-
@@ -13088,10 +13115,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**
-
@@ -13122,10 +13149,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCallHistory**
-
@@ -13156,10 +13183,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**
-
@@ -13198,10 +13225,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**
-
@@ -13232,10 +13259,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**
-
@@ -13266,10 +13293,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCamera**
-
@@ -13300,10 +13327,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**
-
@@ -13342,10 +13369,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**
-
@@ -13376,10 +13403,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**
-
@@ -13410,10 +13437,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessContacts**
-
@@ -13444,10 +13471,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**
-
@@ -13486,10 +13513,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**
-
@@ -13520,10 +13547,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**
-
@@ -13554,10 +13581,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessEmail**
-
@@ -13588,10 +13615,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**
-
@@ -13630,10 +13657,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**
-
@@ -13664,10 +13691,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**
-
@@ -13698,10 +13725,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessLocation**
-
@@ -13732,10 +13759,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**
-
@@ -13774,10 +13801,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**
-
@@ -13808,10 +13835,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**
-
@@ -13842,10 +13869,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMessaging**
-
@@ -13876,10 +13903,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**
-
@@ -13918,10 +13945,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**
-
@@ -13952,10 +13979,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**
-
@@ -13986,10 +14013,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMicrophone**
-
@@ -14020,10 +14047,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**
-
@@ -14062,10 +14089,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**
-
@@ -14096,10 +14123,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**
-
@@ -14130,10 +14157,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMotion**
-
@@ -14164,10 +14191,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**
-
@@ -14206,10 +14233,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**
-
@@ -14240,10 +14267,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**
-
@@ -14274,10 +14301,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessNotifications**
-
@@ -14308,10 +14335,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**
-
@@ -14350,10 +14377,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**
-
@@ -14384,10 +14411,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**
-
@@ -14418,10 +14445,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessPhone**
-
@@ -14452,10 +14479,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**
-
@@ -14494,10 +14521,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**
-
@@ -14528,10 +14555,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**
-
@@ -14562,10 +14589,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessRadios**
-
@@ -14596,10 +14623,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**
-
@@ -14638,10 +14665,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**
-
@@ -14672,10 +14699,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**
-
@@ -14706,10 +14733,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessTasks**
-
@@ -14740,10 +14767,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**
-
@@ -14774,10 +14801,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**
-
@@ -14808,10 +14835,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**
-
@@ -14842,10 +14869,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessTrustedDevices**
-
@@ -14876,10 +14903,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**
-
@@ -14918,10 +14945,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**
-
@@ -14952,10 +14979,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**
-
@@ -14986,10 +15013,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsGetDiagnosticInfo**
-
@@ -15020,10 +15047,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**
-
@@ -15062,10 +15089,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**
-
@@ -15096,10 +15123,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**
-
@@ -15130,10 +15157,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsRunInBackground**
-
@@ -15164,10 +15191,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**
-
@@ -15208,10 +15235,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**
-
@@ -15242,10 +15269,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**
-
@@ -15276,10 +15303,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsSyncWithDevices**
-
@@ -15310,10 +15337,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**
-
@@ -15352,10 +15379,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**
-
@@ -15386,10 +15413,6 @@ ADMX Info:
-
-
-**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**
-
@@ -15420,10 +15447,6 @@ ADMX Info:
-
-
-
**RemoteAssistance/CustomizeWarningMessages**
@@ -15824,6 +15824,29 @@ ADMX Info:
**Search/AllowIndexingEncryptedStoresOrItems**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Search/AllowSearchToUseLocation**
-
@@ -15865,10 +15892,6 @@ ADMX Info:
-
-
-**Search/AllowUsingDiacritics**
-
@@ -15906,10 +15933,6 @@ ADMX Info:
-
-
-**Search/AlwaysUseAutoLangDetection**
-
@@ -15947,10 +15974,6 @@ ADMX Info:
-
-
-**Search/DisableBackoff**
-
@@ -15988,10 +16015,6 @@ ADMX Info:
-
-
-**Search/DisableRemovableDriveIndexing**
-
@@ -16027,10 +16054,6 @@ ADMX Info:
-
-
-**Search/PreventIndexingLowDiskSpaceMB**
-
@@ -16070,10 +16097,6 @@ ADMX Info:
-
-
-**Search/PreventRemoteQueries**
-
@@ -16113,10 +16140,6 @@ ADMX Info:
-
-
-**Search/SafeSearchPermissions**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -16174,6 +16197,10 @@ ADMX Info:
+
+
+**Security/AllowAddProvisioningPackage**
+
@@ -16142,20 +16169,16 @@ ADMX Info:
-
-
-
-**Security/AllowAddProvisioningPackage**
-
@@ -16187,20 +16214,16 @@ ADMX Info:
-
-
-
-**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
> [!NOTE]
> This policy has been deprecated in Windows 10, version 1607
@@ -16261,6 +16284,10 @@ ADMX Info:
+
+
+**Security/AllowManualRootCertificateInstallation**
+
@@ -16230,16 +16257,12 @@ ADMX Info:
-
-
-**Security/AllowManualRootCertificateInstallation**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -16306,6 +16329,10 @@ ADMX Info:
+
+
+**Security/AllowRemoveProvisioningPackage**
+
@@ -16274,20 +16301,16 @@ ADMX Info:
-
-
-
-**Security/AllowRemoveProvisioningPackage**
-
@@ -16319,20 +16346,16 @@ ADMX Info:
-
-
-
-**Security/AntiTheftMode**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -16388,6 +16411,10 @@ ADMX Info:
+
+
+**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
+
@@ -16358,20 +16385,16 @@ ADMX Info:
-
-
-
-**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -16433,6 +16456,10 @@ ADMX Info:
+
+
+**Security/RequireDeviceEncryption**
+
@@ -16401,20 +16428,16 @@ ADMX Info:
-
-
-
-**Security/RequireDeviceEncryption**
-
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
@@ -16481,6 +16504,10 @@ ADMX Info:
+
+
+**Security/RequireProvisioningPackageSignature**
+
@@ -16446,20 +16473,16 @@ ADMX Info:
-
-
-
-**Security/RequireProvisioningPackageSignature**
-
@@ -16494,20 +16521,16 @@ ADMX Info:
-
-
-
-**Security/RequireRetrieveHealthCertificateOnBoot**
-
@@ -16532,7 +16559,7 @@ ADMX Info:
MobileEnterprise
-
-
-
-**Settings/AllowAutoPlay**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -16617,6 +16640,10 @@ ADMX Info:
+
+
+**Settings/AllowDataSense**
+
@@ -16582,21 +16609,17 @@ ADMX Info:
MobileEnterprise
-
-
-
-**Settings/AllowDataSense**
-
@@ -16634,16 +16661,12 @@ ADMX Info:
-
-
-**Settings/AllowDateTime**
-
@@ -16679,10 +16706,6 @@ ADMX Info:
-
-
-**Settings/AllowEditDeviceName**
-
@@ -16708,20 +16735,16 @@ ADMX Info:
-
-
-
-**Settings/AllowLanguage**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -16777,6 +16800,10 @@ ADMX Info:
+
+
+**Settings/AllowPowerSleep**
+
@@ -16747,20 +16774,16 @@ ADMX Info:
-
-
-
-**Settings/AllowPowerSleep**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -16820,6 +16843,10 @@ ADMX Info:
+
+
+**Settings/AllowRegion**
+
@@ -16800,10 +16827,6 @@ ADMX Info:
-
-
-**Settings/AllowRegion**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -16863,6 +16886,10 @@ ADMX Info:
+
+
+**Settings/AllowSignInOptions**
+
@@ -16843,10 +16870,6 @@ ADMX Info:
-
-
-**Settings/AllowSignInOptions**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -16906,6 +16929,10 @@ ADMX Info:
+
+
+**Settings/AllowVPN**
+
@@ -16886,10 +16913,6 @@ ADMX Info:
-
-
-**Settings/AllowVPN**
-
@@ -16923,16 +16950,12 @@ ADMX Info:
-
-
-**Settings/AllowWorkplace**
-
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -16988,6 +17011,10 @@ ADMX Info:
+
+
+**Settings/AllowYourAccount**
+
@@ -16962,16 +16989,12 @@ ADMX Info:
-
-
-**Settings/AllowYourAccount**
-
@@ -17005,16 +17032,12 @@ ADMX Info:
-
-
-**Settings/ConfigureTaskbarCalendar**
-
@@ -17041,19 +17068,15 @@ ADMX Info:
-
-
-
-**Settings/PageVisibilityList**
-
@@ -17085,16 +17112,12 @@ ADMX Info:
-
-
-**SmartScreen/EnableAppInstallControl**
-
@@ -17149,16 +17176,12 @@ ADMX Info:
-
-
-**SmartScreen/EnableSmartScreenInShell**
-
@@ -17194,10 +17221,6 @@ ADMX Info:
-
-
-**SmartScreen/PreventOverrideForFilesInShell**
-
@@ -17233,10 +17260,6 @@ ADMX Info:
-
-
-
**Speech/AllowSpeechModelUpdate**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
+
+
@@ -17311,10 +17299,45 @@ ADMX Info:
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -17334,29 +17357,6 @@ ADMX Info:
-
-
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-
**Start/HideAppList**
@@ -17746,26 +17746,6 @@ ADMX Info:
**Start/StartLayout**
-
-> [!IMPORTANT]
-> This node is set on a per-user basis and must be accessed using the following paths:
-> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
->
->
-> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths:
-> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
-> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+> [!IMPORTANT]
+> This node is set on a per-user basis and must be accessed using the following paths:
+> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
+> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
+>
+>
+> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths:
+> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy.
+> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy.
+
+
+
@@ -17789,6 +17769,26 @@ ADMX Info:
+
+
+
> [!NOTE]
> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
@@ -17834,6 +17857,10 @@ ADMX Info:
+
+
+**System/AllowEmbeddedMode**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**System/AllowEmbeddedMode**
-
@@ -17857,10 +17884,6 @@ ADMX Info:
-
-
-**System/AllowExperimentation**
-
> [!NOTE]
> This policy is not supported in Windows 10, version 1607.
@@ -17920,6 +17943,10 @@ ADMX Info:
+
+
+**System/AllowFontProviders**
+
@@ -17898,10 +17925,6 @@ ADMX Info:
-
-
-**System/AllowFontProviders**
-
@@ -17934,7 +17961,7 @@ ADMX Info:
+
-
-
-**System/AllowLocation**
-
@@ -17984,7 +18011,7 @@ ADMX Info:
-
-
-**System/AllowStorageCard**
-
@@ -18041,10 +18068,6 @@ ADMX Info:
-
-
-**System/AllowTelemetry**
-
@@ -18082,10 +18109,6 @@ ADMX Info:
-
-
-**System/AllowUserToResetPhone**
-
@@ -18178,10 +18205,6 @@ ADMX Info:
-
-
-
**System/BootStartDriverInitialization**
@@ -18241,6 +18241,29 @@ ADMX Info:
**System/DisableOneDriveFileSync**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
-
-
-
**System/DisableSystemRestore**
@@ -18322,15 +18322,6 @@ ADMX Info:
**System/TelemetryProxy**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
+
+
@@ -18354,10 +18345,42 @@ ADMX Info:
+
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18376,6 +18399,10 @@ ADMX Info:
+
+
+**TextInput/AllowIMENetworkAccess**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**TextInput/AllowIMENetworkAccess**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18421,6 +18444,10 @@ ADMX Info:
+
+
+**TextInput/AllowInputPanel**
+
@@ -18399,10 +18426,6 @@ ADMX Info:
-
-
-**TextInput/AllowInputPanel**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18466,6 +18489,10 @@ ADMX Info:
+
+
+**TextInput/AllowJapaneseIMESurrogatePairCharacters**
+
@@ -18444,10 +18471,6 @@ ADMX Info:
-
-
-**TextInput/AllowJapaneseIMESurrogatePairCharacters**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18511,6 +18534,10 @@ ADMX Info:
+
+
+**TextInput/AllowJapaneseIVSCharacters**
+
@@ -18489,10 +18516,6 @@ ADMX Info:
-
-
-**TextInput/AllowJapaneseIVSCharacters**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18556,6 +18579,10 @@ ADMX Info:
+
+
+**TextInput/AllowJapaneseNonPublishingStandardGlyph**
+
@@ -18534,10 +18561,6 @@ ADMX Info:
-
-
-**TextInput/AllowJapaneseNonPublishingStandardGlyph**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18601,6 +18624,10 @@ ADMX Info:
+
+
+**TextInput/AllowJapaneseUserDictionary**
+
@@ -18579,10 +18606,6 @@ ADMX Info:
-
-
-**TextInput/AllowJapaneseUserDictionary**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18646,6 +18669,10 @@ ADMX Info:
+
+
+**TextInput/AllowKeyboardTextSuggestions**
+
@@ -18624,10 +18651,6 @@ ADMX Info:
-
-
-**TextInput/AllowKeyboardTextSuggestions**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18696,29 +18719,6 @@ ADMX Info:
-
-
@@ -18660,7 +18687,7 @@ ADMX Info:
+
-
-
-
**TextInput/AllowKoreanExtendedHanja**
@@ -18734,6 +18734,29 @@ ADMX Info:
**TextInput/AllowLanguageFeaturesUninstall**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
+
+
+
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18752,6 +18775,10 @@ ADMX Info:
+
+
+**TextInput/ExcludeJapaneseIMEExceptJIS0208**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**TextInput/ExcludeJapaneseIMEExceptJIS0208**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18795,6 +18818,10 @@ ADMX Info:
+
+
+**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**
+
@@ -18775,10 +18802,6 @@ ADMX Info:
-
-
-**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18838,6 +18861,10 @@ ADMX Info:
+
+
+**TextInput/ExcludeJapaneseIMEExceptShiftJIS**
+
@@ -18818,10 +18845,6 @@ ADMX Info:
-
-
-**TextInput/ExcludeJapaneseIMEExceptShiftJIS**
-
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@@ -18881,29 +18904,6 @@ ADMX Info:
-
-
@@ -18861,10 +18888,6 @@ ADMX Info:
-
-
-
**TimeLanguageSettings/AllowSet24HourClock**
@@ -18924,24 +18924,6 @@ ADMX Info:
**Update/ActiveHoursEnd**
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+
@@ -18965,6 +18947,24 @@ ADMX Info:
+
+> [!NOTE]
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
+
+
+
@@ -19029,10 +19011,51 @@ ADMX Info:
+
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -19061,6 +19084,10 @@ ADMX Info:
+
+
+**Update/AllowMUUpdateService**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Update/AllowMUUpdateService**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
@@ -19104,6 +19127,10 @@ ADMX Info:
+
+
+**Update/AllowNonMicrosoftSignedUpdate**
+
@@ -19079,15 +19106,11 @@ ADMX Info:
-
-
-**Update/AllowNonMicrosoftSignedUpdate**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -19151,6 +19174,10 @@ ADMX Info:
+
+
+**Update/AllowUpdateService**
+
@@ -19122,15 +19149,11 @@ ADMX Info:
-
-
-**Update/AllowUpdateService**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -19202,29 +19225,6 @@ ADMX Info:
-
-
@@ -19174,10 +19201,6 @@ ADMX Info:
-
-
-
**Update/AutoRestartNotificationSchedule**
@@ -19268,6 +19268,29 @@ ADMX Info:
**Update/BranchReadinessLevel**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -19284,6 +19307,10 @@ ADMX Info:
+
+
+**Update/DeferFeatureUpdatesPeriodInDays**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Update/DeferFeatureUpdatesPeriodInDays**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
@@ -19327,6 +19350,10 @@ ADMX Info:
+
+
+**Update/DeferQualityUpdatesPeriodInDays**
+
@@ -19302,15 +19329,11 @@ ADMX Info:
-
-
-**Update/DeferQualityUpdatesPeriodInDays**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -19367,6 +19390,10 @@ ADMX Info:
+
+
+**Update/DeferUpdatePeriod**
+
@@ -19345,15 +19372,11 @@ ADMX Info:
-
-
-**Update/DeferUpdatePeriod**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -19470,6 +19493,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/DeferUpgradePeriod**
+
@@ -19390,10 +19417,6 @@ ADMX Info:
-
-
-**Update/DeferUpgradePeriod**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
@@ -19518,6 +19541,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/DetectionFrequency**
+
@@ -19488,15 +19515,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-**Update/DetectionFrequency**
-
@@ -19532,19 +19559,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
-
-
-
**Update/EngagedRestartDeadline**
@@ -19636,23 +19636,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
**Update/ExcludeWUDriversInQualityUpdate**
-
-> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
-> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-**Update/FillEmptyContentUrls**
-
-
@@ -19676,25 +19659,27 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
@@ -19718,10 +19703,48 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
-
-
-**Update/IgnoreMOUpdateDownloadLimit**
-
@@ -19771,10 +19798,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-**Update/PauseDeferrals**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -19848,6 +19871,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/PauseFeatureUpdates**
+
@@ -19813,7 +19840,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-**Update/PauseFeatureUpdates**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
@@ -19892,6 +19915,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/PauseFeatureUpdatesStartTime**
+
@@ -19866,15 +19893,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-**Update/PauseFeatureUpdatesStartTime**
-
@@ -19910,15 +19937,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-**Update/PauseQualityUpdates**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -19970,6 +19993,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/PauseQualityUpdatesStartTime**
+
@@ -19951,10 +19978,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-**Update/PauseQualityUpdatesStartTime**
-
@@ -19993,10 +20020,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-**Update/RequireDeferUpgrade**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -20051,6 +20074,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/RequireUpdateApproval**
+
@@ -20029,10 +20056,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-**Update/RequireUpdateApproval**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -20101,29 +20124,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
@@ -20074,10 +20101,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
**Update/ScheduleImminentRestartWarning**
@@ -20166,6 +20166,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
**Update/ScheduledInstallDay**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -20192,6 +20215,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+**Update/ScheduledInstallTime**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Update/ScheduledInstallTime**
-
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -20238,29 +20261,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
@@ -20215,10 +20242,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
-
-
-
**Update/SetAutoRestartNotificationDisable**
@@ -20285,18 +20285,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
**Update/SetEDURestart**
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
@@ -20320,10 +20308,45 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -20362,6 +20385,10 @@ Example
+
+
+**Update/UpdateServiceUrlAlternate**
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Update/UpdateServiceUrlAlternate**
-
> **Note** This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
@@ -20409,29 +20432,6 @@ Example
-
-
@@ -20380,15 +20407,11 @@ Example
-
-
-
**WiFi/AllowWiFiHotSpotReporting**
@@ -20447,6 +20447,29 @@ Example
**Wifi/AllowAutoConnectToWiFiSenseHotspots**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
-
-
-**Wifi/AllowInternetSharing**
-
@@ -20484,10 +20511,6 @@ Example
-
-
-**Wifi/AllowManualWiFiConfiguration**
-
@@ -20525,10 +20552,6 @@ Example
-
-
-**Wifi/AllowWiFi**
-
@@ -20570,10 +20597,6 @@ Example
+
+
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
-
-
-**Wifi/AllowWiFiDirect**
-
-
-
@@ -20611,47 +20675,6 @@ Example
-
-
-
-
-
-**Wifi/WLANScanMode**
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
-
@@ -20682,16 +20709,12 @@ Example
-
-
-**WindowsInkWorkspace/AllowWindowsInkWorkspace**
-
@@ -20727,10 +20754,6 @@ Example
-
-
-
**WindowsLogon/DisableLockScreenAppNotifications**
@@ -20815,6 +20815,29 @@ ADMX Info:
**WindowsLogon/HideFastUserSwitching**
+
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
+
+
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
+
+
+
+
+
+
+Home
+ Pro
+ Business
+ Enterprise
+ Education
+ Mobile
+ MobileEnterprise
+
+
+
-
-
-**WirelessDisplay/AllowProjectionFromPC**
-
-
-
@@ -20855,84 +20956,6 @@ ADMX Info:
-
-
-
-
-
-**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-
-
-
-**WirelessDisplay/AllowProjectionToPC**
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
-
@@ -20961,19 +20988,15 @@ ADMX Info:
-
-
-
**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
@@ -21018,6 +21018,10 @@ ADMX Info:
+
+
+**WirelessDisplay/RequirePinForPairing**
+
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
-
-**WirelessDisplay/RequirePinForPairing**
-
@@ -21030,21 +21034,17 @@ ADMX Info:
MobileEnterprise
+
-
-
-
-
-
-
+
-
-
-
-
-Home
- Pro
- Business
- Enterprise
- Education
- Mobile
- MobileEnterprise
-
-
-
-
+
+## IoT Core Support
+
+ApplicationDefaults/DefaultAssociationsConfiguration
+ApplicationManagement/AllowDeveloperUnlock
+Authentication/AllowFastReconnect
+Authentication/AllowSecondaryAuthenticationDevice
+Bluetooth/AllowAdvertising
+Bluetooth/AllowDiscoverableMode
+Bluetooth/AllowPrepairing
+Bluetooth/LocalDeviceName
+Bluetooth/ServicesAllowedList
+Browser/AllowAutofill
+Browser/AllowBrowser
+Browser/AllowCookies
+Browser/AllowDoNotTrack
+Browser/AllowInPrivate
+Browser/AllowPasswordManager
+Browser/AllowPopups
+Browser/AllowSearchSuggestionsinAddressBar
+Browser/EnterpriseModeSiteList
+Browser/EnterpriseSiteListServiceUrl
+Browser/SendIntranetTraffictoInternetExplorer
+Camera/AllowCamera
+Connectivity/AllowBluetooth
+Connectivity/AllowCellularDataRoaming
+Connectivity/AllowNFC
+Connectivity/AllowUSBConnection
+Connectivity/AllowVPNOverCellular
+Connectivity/AllowVPNRoamingOverCellular
+DataProtection/AllowDirectMemoryAccess
+Location/EnableLocation
+Security/AllowAddProvisioningPackage
+Security/AllowRemoveProvisioningPackage
+Security/RequireDeviceEncryption
+Security/RequireProvisioningPackageSignature
+System/AllowEmbeddedMode
+System/AllowFontProviders
+System/AllowStorageCard
+System/TelemetryProxy
+Update/AllowNonMicrosoftSignedUpdate
+Update/AllowUpdateService
+Update/BranchReadinessLevel
+Update/DeferFeatureUpdatesPeriodInDays
+Update/DeferQualityUpdatesPeriodInDays
+Update/ExcludeWUDriversInQualityUpdate
+Update/PauseDeferrals
+Update/PauseFeatureUpdates
+Update/PauseFeatureUpdatesStartTime
+Update/PauseQualityUpdates
+Update/PauseQualityUpdatesStartTime
+Update/RequireDeferUpgrade
+Update/RequireUpdateApproval
+Update/ScheduledInstallDay
+Update/ScheduledInstallTime
+Update/UpdateServiceUrl
+Wifi/AllowAutoConnectToWiFiSenseHotspots
+Wifi/AllowInternetSharing
+Wifi/AllowWiFi
+Wifi/AllowWiFiDirect
+Wifi/WLANScanMode
+WirelessDisplay/AllowProjectionFromPC
+WirelessDisplay/AllowProjectionFromPCOverInfrastructure
+WirelessDisplay/AllowProjectionToPCOverInfrastructure
+
+
+
+## Can be set using Exchange Active Sync (EAS)
+
+Browser/AllowBrowser
+Camera/AllowCamera
+Connectivity/AllowBluetooth
+Connectivity/AllowCellularDataRoaming
+Connectivity/AllowUSBConnection
+DeviceLock/AllowSimpleDevicePassword
+DeviceLock/AlphanumericDevicePasswordRequired
+DeviceLock/DevicePasswordEnabled
+DeviceLock/DevicePasswordExpiration
+DeviceLock/DevicePasswordHistory
+DeviceLock/MaxDevicePasswordFailedAttempts
+DeviceLock/MaxInactivityTimeDeviceLock
+DeviceLock/MinDevicePasswordComplexCharacters
+DeviceLock/MinDevicePasswordLength
+Search/AllowSearchToUseLocation
+Security/RequireDeviceEncryption
+System/AllowStorageCard
+System/TelemetryProxy
+Wifi/AllowInternetSharing
+Wifi/AllowWiFi
+
+
+
## Examples