Merge branch 'master' into MDBranch20H2LocalUsersAndGroups

2025-06-19 04:13:41 +00:00 · 2020-10-14 16:47:37 -07:00
parent a255615462 48ed662b21
commit 8268bbc185
8 changed files with 621 additions and 33 deletions
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@ -22,13 +22,10 @@ ms.topic: article

 - Windows 10

-From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
+From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).

 ![Remote Desktop Connection client](images/rdp.png)

-> [!TIP]
-> Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics)
-
 ## Set up

 - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
@ -37,36 +34,39 @@ From its release, Windows 10 has supported remote connections to PCs joined to A
 Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.

 - On the PC you want to connect to:
+
  1. Open system properties for the remote PC.
+  
  2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.

-    ![Allow remote connections to this computer](images/allow-rdp.png)
+     ![Allow remote connections to this computer](images/allow-rdp.png)

-  3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
+  3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Click **Select Users -> Add** and enter the name of the user or group.

-    > [!NOTE]
-    > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet:
-    > ```PowerShell
-    > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
-    > ```
-    > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
-    >
-    > This command only works for AADJ device users already added to any of the local groups (administrators).
-    > Otherwise this command throws the below error. For example:
-    > - for cloud only user: "There is no such global user or group : *name*"
-    > - for synced user: "There is no such global user or group : *name*" </br>
-    >
-    > In Windows 10, version 1709, the user does not have to sign in to the remote device first.
-    >
-    > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
+     > [!NOTE]
+     > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet:
+     > ```powershell
+     > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
+     > ```
+     > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
+     >
+     > This command only works for AADJ device users already added to any of the local groups (administrators).
+     > Otherwise this command throws the below error. For example:
+     > - for cloud only user: "There is no such global user or group : *name*"
+     > - for synced user: "There is no such global user or group : *name*" </br>
+    
+     > [!NOTE]
+     > In Windows 10, version 1709, the user does not have to sign in to the remote device first.
+     >
+     > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
+   
+  4. Click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.

-  4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
+     > [!TIP]
+     > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.

-  > [!TIP]
-  > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
-
-> [!Note]
-> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
+     > [!Note]
+     > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).

 ## Supported configurations

--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@ -308,6 +308,7 @@
 #### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
 #### [WindowsLogon](policy-csp-windowslogon.md)
 #### [WindowsPowerShell](policy-csp-windowspowershell.md)
+#### [WindowsSandbox](policy-csp-windowssandbox.md)
 #### [WirelessDisplay](policy-csp-wirelessdisplay.md)
 ### [PolicyManager CSP](policymanager-csp.md)
 ### [Provisioning CSP](provisioning-csp.md)
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -5575,6 +5575,29 @@ The following diagram shows the Policy configuration service provider in tree fo
  </dd>
 </dl>

+### WindowsSandbox policies  
+
+<dl>
+  <dd>
+    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowaudioinput" id="windowssandbox-allowaudioinput">WindowsSandbox/AllowAudioInput</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection" id="windowssandbox-allowclipboardredirection">WindowsSandbox/AllowClipboardRedirection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowssandbox.md#windowssandbox-allownetworking" id="windowssandbox-allownetworking">WindowsSandbox/AllowNetworking</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection" id="windowssandbox-allowprinterredirection">WindowsSandbox/AllowPrinterRedirection</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowvgpu" id="windowssandbox-allowvgpu">WindowsSandbox/AllowVGPU</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowvideoinput" id="windowssandbox-allowvideoinput">WindowsSandbox/AllowVideoInput</a>
+  </dd>
+</dl>
+
 ### WirelessDisplay policies

 <dl>
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@ -0,0 +1,561 @@
+---
+title: Policy CSP - WindowsSandbox
+description: Policy CSP - WindowsSandbox
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 10/14/2020
+---
+
+# Policy CSP - WindowsSandbox
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+<hr/>
+
+<!--Policies-->
+## WindowsSandbox policies  
+
+<dl>
+  <dd>
+    <a href="#windowssandbox-allowaudioinput">WindowsSandbox/AllowAudioInput</a>
+  </dd>
+  <dd>
+    <a href="#windowssandbox-allowclipboardredirection">WindowsSandbox/AllowClipboardRedirection</a>
+  </dd>
+  <dd>
+    <a href="#windowssandbox-allownetworking">WindowsSandbox/AllowNetworking</a>
+  </dd>
+  <dd>
+    <a href="#windowssandbox-allowprinterredirection">WindowsSandbox/AllowPrinterRedirection</a>
+  </dd>
+  <dd>
+    <a href="#windowssandbox-allowvgpu">WindowsSandbox/AllowVGPU</a>
+  </dd>
+  <dd>
+    <a href="#windowssandbox-allowvideoinput">WindowsSandbox/AllowVideoInput</a>
+  </dd>
+</dl>
+
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="windowssandbox-allowaudioinput"></a>**WindowsSandbox/AllowAudioInput**
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting allows the IT admin to enable or disable audio input to the Sandbox. 
+
+> [!NOTE]
+> There may be security implications of exposing host audio input to the container.
+
+If this policy is not configured, end-users get the default behavior (audio input enabled). 
+
+If audio input is disabled, a user will not be able to enable audio input from their own configuration file. 
+
+If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:
+
+- GP English Name: *Allow audio input in Windows Sandbox*
+- GP name: *AllowAudioInput*
+- GP path: *Windows Components/Windows Sandbox* 
+- GP ADMX file name: *WindowsSandbox.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following are the supported values:  
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+
+<!--Policy-->
+<a href="" id="windowssandbox-allowclipboardredirection"></a>**WindowsSandbox/AllowClipboardRedirection**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox.
+
+If this policy is not configured, end-users get the default behavior (clipboard redirection enabled. 
+
+If clipboard sharing is disabled, a user will not be able to enable clipboard sharing from their own configuration file. 
+
+If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:
+
+- GP English Name: *Allow clipboard sharing with Windows Sandbox*
+- GP name: *AllowClipboardRedirection*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following are the supported values:  
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="windowssandbox-allownetworking"></a>**WindowsSandbox/AllowNetworking**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network.
+
+If this policy is not configured, end-users get the default behavior (networking enabled).
+
+If networking is disabled, a user will not be able to enable networking from their own configuration file.
+
+If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:
+
+- GP English Name: *Allow networking in Windows Sandbox*
+- GP name: *AllowNetworking*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following are the supported values:  
+- 0 - Disabled
+- 1 (default) - Enabled
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="windowssandbox-allowprinterredirection"></a>**WindowsSandbox/AllowPrinterRedirection**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox. 
+
+If this policy is not configured, end-users get the default behavior (printer sharing disabled). 
+
+If printer sharing is disabled, a user will not be able to enable printer sharing from their own configuration file. 
+
+If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:
+
+- GP English Name: *Allow printer sharing with Windows Sandbox*
+- GP name: *AllowPrinterRedirection*
+- GP path: *Windows Components/Windows Sandbox* 
+- GP ADMX file name: *WindowsSandbox.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following are the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="windowssandbox-allowvgpu"></a>**WindowsSandbox/AllowVGPU**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox.
+
+> [!NOTE]
+> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox. 
+
+If this policy is not configured, end-users get the default behavior (vGPU is disabled). 
+
+If vGPU is disabled, a user will not be able to enable vGPU support from their own configuration file. 
+
+If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:
+
+- GP English Name: *Allow vGPU sharing for Windows Sandbox*
+- GP name: *AllowVGPU*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following are the supported values:
+
+- 0 (default) - Disabled
+- 1 - Enabled
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="windowssandbox-allowvideoinput"></a>**WindowsSandbox/AllowVideoInput**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+    <th>Windows Edition</th>
+    <th>Supported?</th>
+</tr>
+<tr>
+    <td>Home</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Pro</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Business</td>
+    <td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+<tr>
+    <td>Enterprise</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+<tr>
+    <td>Education</td>
+    <td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting allows the IT admin to enable or disable video input to the Sandbox. 
+
+> [!NOTE]
+> There may be security implications of exposing host video input to the container.
+
+If this policy is not configured, users get the default behavior (video input disabled). 
+
+If video input is disabled, users will not be able to enable video input from their own configuration file. 
+
+If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info: 
+- GP English Name: *Allow video input in Windows Sandbox*
+- GP name: *AllowVideoInput*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following are the supported values:
+
+- 0 (default) - Disabled
+- 1 - Enabled
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+- 9 - Available in Windows 10, version 2010.
+
+<!--/Policies-->